# Botnet labels # 10.0.2.106 V1 filter="src host 10.0.2.106 and tcp and dst host 83.93.14.138 and dst port 9931" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 71.10.54.162 and dst port 3760" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 14.37.114.237 and dst port 3088" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 41.32.182.114 and dst port 8340" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 184.182.240.239 and dst port 7058" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 94.240.219.11 and dst port 9035" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 176.73.204.12 and dst port 8437" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 74.65.6.17 and dst port 2418" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 176.73.211.244 and dst port 8034" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 94.251.184.74 and dst port 9386" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 82.211.142.218 and dst port 9811" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 190.55.44.98 and dst port 5186" label="From-Botnet-V1-TCP-Custom-Encryption-1" filter="src host 10.0.2.106 and tcp and dst host 69.115.119.227 and dst port 1106" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 174.76.94.24 and dst port 2458" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 36.238.35.80 and dst port 2708" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 208.105.172.66 and dst port 2747" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 88.247.80.140 and dst port 1335" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 201.255.94.8 and dst port 4423" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 151.233.138.31 and dst port 9338" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 24.107.136.226 and dst port 5630" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 71.205.243.23 and dst port 1604" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 88.203.75.4 and dst port 3532" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 99.157.164.179 and dst port 3409" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 91.236.245.22 and dst port 5326" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 75.99.113.250 and dst port 4891" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 67.209.198.223 and dst port 5901" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 83.217.187.33 and dst port 2440" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 88.130.164.213 and dst port 9291" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 75.11.171.237 and dst port 6259" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 92.4.140.211 and dst port 6775" label="From-Botnet-V1-TCP-Custom-Encryption-2" filter="src host 10.0.2.106 and tcp and dst host 5.178.178.199 and dst port 4758" label="From-Botnet-V1-TCP-Custom-Encryption-3" filter="src host 10.0.2.106 and tcp and dst host 213.219.135.107 and dst port 1435" label="From-Botnet-V1-TCP-Custom-Encryption-4" filter="src host 10.0.2.106 and tcp and dst host 24.107.118.64 and dst port 1128" label="From-Botnet-V1-TCP-Custom-Encryption-4" filter="src host 10.0.2.106 and tcp and dst host 194.246.126.196 and dst port 7306" label="From-Botnet-V1-TCP-Custom-Encryption-4" filter="src host 10.0.2.106 and tcp and dst host 97.93.7.68 and dst port 1620" label="From-Botnet-V1-TCP-Custom-Encryption-4" filter="src host 10.0.2.106 and tcp and dst host 46.48.247.67 and dst port 29365" label="From-Botnet-V1-TCP-Custom-Encryption-5" filter="src host 10.0.2.106 and tcp and dst host 95.104.10.167 and dst port 7786" label="From-Botnet-V1-TCP-Custom-Encryption-5" filter="src host 10.0.2.106 and tcp and dst host 46.48.233.117 and dst port 22868" label="From-Botnet-V1-TCP-Custom-Encryption-5" filter="src host 10.0.2.106 and tcp and dst host 82.211.167.134 and dst port 4066" label="From-Botnet-V1-TCP-Custom-Encryption-6" filter="src host 10.0.2.106 and tcp and dst host 46.48.235.191 and dst port 11550" label="From-Botnet-V1-TCP-Custom-Encryption-7" filter="src host 10.0.2.106 and tcp and synack and dst host 218.29.42.137 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-12" filter="src host 10.0.2.106 and tcp and synack and dst host 222.73.45.106 and dst port 88" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-11" filter="src host 10.0.2.106 and tcp and synack and dst host 122.228.199.136 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-10" filter="src host 10.0.2.106 and tcp and synack and dst host 61.147.99.179 and dst port 81" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-9" filter="src host 10.0.2.106 and tcp and synack and dst host 61.160.209.212 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-8" filter="src host 10.0.2.106 and tcp and synack and dst host 60.190.223.75 and dst port 2012" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-Custom-Port-7" filter="src host 10.0.2.106 and tcp and synack and dst host 60.190.223.75 and dst port 2011" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-Custom-Port-6" filter="src host 10.0.2.106 and tcp and synack and dst host 60.190.223.75 and dst port 88" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-Custom-Port-5" filter="src host 10.0.2.106 and tcp and synack and dst host 122.224.6.164 and dst port 82" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-Custom-Port-4" filter="src host 10.0.2.106 and tcp and synack and dst host 195.88.191.59 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-3" filter="src host 10.0.2.106 and tcp and synack and dst host 91.228.230.31 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-2" filter="src host 10.0.2.106 and tcp and synack and dst host 94.63.149.152 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Binary-Download-1" # Advertisement filter="src host 10.0.2.106 and tcp and synack and dst host 94.63.150.52 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-46" filter="src host 10.0.2.106 and tcp and synack and dst host 217.163.21.37 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-45" filter="src host 10.0.2.106 and tcp and synack and dst host 74.125.232.217 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-44" filter="src host 10.0.2.106 and tcp and synack and dst host 173.241.240.4 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-43" filter="src host 10.0.2.106 and tcp and synack and dst host 68.67.179.209 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-42" filter="src host 10.0.2.106 and tcp and synack and dst host 217.163.21.36 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-41" filter="src host 10.0.2.106 and tcp and synack and dst host 195.113.232.98 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-40" filter="src host 10.0.2.106 and tcp and synack and dst host 92.240.244.181 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-39" filter="src host 10.0.2.106 and tcp and synack and dst host 184.82.147.252 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-38" filter="src host 10.0.2.106 and tcp and synack and dst host 195.113.232.83 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-37" filter="src host 10.0.2.106 and tcp and synack and dst host 70.32.97.26 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-36" filter="src host 10.0.2.106 and tcp and synack and dst host 184.82.155.108 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-35" filter="src host 10.0.2.106 and tcp and synack and dst host 217.163.21.34 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-34" filter="src host 10.0.2.106 and tcp and synack and dst host 217.163.21.40 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-33" filter="src host 10.0.2.106 and tcp and synack and dst host 195.113.232.96 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-32" filter="src host 10.0.2.106 and tcp and synack and dst host 184.82.148.44 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-31" filter="src host 10.0.2.106 and tcp and synack and dst host 64.236.79.229 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-30" filter="src host 10.0.2.106 and tcp and synack and dst host 93.184.220.20 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-29" filter="src host 10.0.2.106 and tcp and synack and dst host 68.67.185.210 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-28" filter="src host 10.0.2.106 and tcp and synack and dst host 217.110.110.231 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-27" filter="src host 10.0.2.106 and tcp and synack and dst host 184.82.148.44 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-26" filter="src host 10.0.2.106 and tcp and synack and dst host 217.163.21.38 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-25" filter="src host 10.0.2.106 and tcp and synack and dst host 67.201.31.224 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-24" filter="src host 10.0.2.106 and tcp and synack and dst host 87.248.203.254 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-23" filter="src host 10.0.2.106 and tcp and synack and dst host 50.23.235.4 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-22" filter="src host 10.0.2.106 and tcp and synack and dst host 174.36.246.56 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-21" filter="src host 10.0.2.106 and tcp and synack and dst host 67.214.158.5 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-20" filter="src host 10.0.2.106 and tcp and synack and dst host 64.38.232.180 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-19" filter="src host 10.0.2.106 and tcp and synack and dst host 50.22.198.84 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-18" filter="src host 10.0.2.106 and tcp and synack and dst host 74.117.116.77 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-17" filter="src host 10.0.2.106 and tcp and synack and dst host 94.127.76.180 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-16" filter="src host 10.0.2.106 and tcp and synack and dst host 208.73.210.29 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-15" filter="src host 10.0.2.106 and tcp and synack and dst host 95.172.94.64 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-13" filter="src host 10.0.2.106 and tcp and synack and dst host 217.163.21.41 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-12" filter="src host 10.0.2.106 and tcp and synack and dst host 87.248.203.253 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-11" filter="src host 10.0.2.106 and tcp and synack and dst host 77.238.167.32 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-10" filter="src host 10.0.2.106 and tcp and synack and dst host 195.113.232.88 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-yieldmanager-9" filter="src host 10.0.2.106 and tcp and synack and dst host 217.163.21.35 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-yieldmanager-8" filter="src host 10.0.2.106 and tcp and synack and dst host 68.67.185.209 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-7" filter="src host 10.0.2.106 and tcp and synack and dst host 68.67.185.217 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-6" filter="src host 10.0.2.106 and tcp and synack and dst host 69.16.175.10 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-5" filter="src host 10.0.2.106 and tcp and synack and dst host 195.113.232.73 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-4" filter="src host 10.0.2.106 and tcp and synack and dst host 195.113.232.97 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-3" filter="src host 10.0.2.106 and tcp and synack and dst host 209.190.94.170 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-2" filter="src host 10.0.2.106 and tcp and synack and dst host 98.126.71.122 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Ad-1" # CC filter="src host 10.0.2.106 and tcp and synack and dst host 66.252.13.214 and dst port 2081" label="From-Botnet-V1-TCP-CC105-IRC-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 95.211.9.145 and dst port 80" label="From-Botnet-V1-TCP-CC104-HTTP-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 62.149.140.209 and dst port 80" label="From-Botnet-V1-TCP-CC103-HTTP" filter="src host 10.0.2.106 and tcp and synack and dst host 212.124.126.66 and dst port 80" label="From-Botnet-V1-TCP-CC102-HTTP-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 194.28.87.64 and dst port 80" label="From-Botnet-V1-TCP-CC101-HTTP-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 97.74.144.110 and dst port 80" label="From-Botnet-V1-TCP-CC100-HTTP-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 84.59.151.27 and dst port 3285" label="From-Botnet-V1-TCP-CC99-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 186.92.137.193 and dst port 2873" label="From-Botnet-V1-TCP-CC98-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 212.17.122.207 and dst port 3945" label="From-Botnet-V1-TCP-CC97-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 210.210.112.17 and dst port 7465" label="From-Botnet-V1-TCP-CC96-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 176.73.233.22 and dst port 6918" label="From-Botnet-V1-TCP-CC95-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 172.242.78.165 and dst port 6687" label="From-Botnet-V1-TCP-CC94-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 200.84.7.244 and dst port 8038" label="From-Botnet-V1-TCP-CC93-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 82.211.161.86 and dst port 2017" label="From-Botnet-V1-TCP-CC92-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 78.139.149.134 and dst port 3610" label="From-Botnet-V1-TCP-CC91-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 155.230.189.121 and dst port 6758" label="From-Botnet-V1-TCP-CC90-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 31.192.7.200 and dst port 5479" label="From-Botnet-V1-TCP-CC89-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 211.38.175.27 and dst port 4598" label="From-Botnet-V1-TCP-CC88-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 82.211.141.181 and dst port 5977" label="From-Botnet-V1-TCP-CC87-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 85.90.169.173 and dst port 6297" label="From-Botnet-V1-TCP-CC86-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 89.40.177.36 and dst port 2670" label="From-Botnet-V1-TCP-CC-85-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 82.17.183.230 and dst port 3113" label="From-Botnet-V1-TCP-CC84-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 176.73.98.25 and dst port 6950" label="From-Botnet-V1-TCP-CC83-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 95.104.66.207 and dst port 7362" label="From-Botnet-V1-TCP-CC82-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 176.73.207.85 and dst port 7491" label="From-Botnet-V1-TCP-CC81-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 95.104.77.164 and dst port 3226" label="From-Botnet-V1-TCP-CC80-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 75.25.155.129 and dst port 1509" label="From-Botnet-V1-TCP-CC79-Custom-Encryption-" filter="src host 10.0.2.106 and tcp and synack and dst host 200.91.49.183 and dst port 5371" label="From-Botnet-V1-TCP-CC78-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 61.135.188.210 and dst port 80" label="From-Botnet-V1-TCP-CC77-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 174.128.235.237 and dst port 88" label="From-Botnet-V1-TCP-CC76-HTTP-Custom-Port-Not-Encrypted-Binary-Download" filter="src host 10.0.2.106 and tcp and synack and dst host 222.73.45.135 and dst port 81" label="From-Botnet-V1-TCP-CC75-HTTP-Custom-Port-Not-Encrypted-Non-Periodic" filter="src host 10.0.2.106 and tcp and synack and dst host 222.189.228.111 and dst port 3389" label="From-Botnet-V1-TCP-CC74-HTTP-Custom-Port-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 91.212.135.158 and dst port 5678" label="From-Botnet-V1-TCP-CC73" filter="src host 10.0.2.106 and tcp and synack and dst host 38.229.70.20 and dst port 6667" label="From-Botnet-V1-TCP-CC72-IRC" #filter="src host 38.229.70.20 and tcp and synack and dst host 10.0.2.106 and dst port 1027" label="From-Botnet-V1-TCP-CC71-IRC" filter="src host 10.0.2.106 and tcp and synack and dst host 184.82.155.107 and dst port 80" label="From-Botnet-V1-TCP-CC70-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 184.82.147.251 and dst port 80" label="From-Botnet-V1-TCP-CC69-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 184.154.89.154 and dst port 8735" label="From-Botnet-V1-TCP-CC68-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 173.236.31.226 and dst port 7212" label="From-Botnet-V1-TCP-CC67-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 184.82.148.43 and dst port 80" label="From-Botnet-V1-TCP-CC66-HTTP-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 67.19.72.206 and dst port 80" label="From-Botnet-V1-TCP-CC63-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 174.128.246.102 and dst port 80" label="From-Botnet-V1-TCP-CC62-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 123.126.51.33 and dst port 80" label="From-Botnet-V1-TCP-CC62-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 72.20.15.61 and dst port 80" label="From-Botnet-V1-TCP-CC61-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 74.3.164.222 and dst port 443" label="From-Botnet-V1-TCP-CC60-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 174.37.196.55 and dst port 80" label="From-Botnet-V1-TCP-CC59-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 74.3.164.224 and dst port 443" label="From-Botnet-V1-TCP-CC60-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 38.229.70.20 and dst port 6667" label="From-Botnet-V1-TCP-CC59-IRC-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 193.23.181.44 and dst port 179" label="From-Botnet-V1-TCP-CC58-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 193.23.181.44 and dst port 80" label="From-Botnet-V1-TCP-CC57-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 31.192.109.161 and dst port 80" label="From-Botnet-V1-TCP-CC56-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 213.246.53.125 and dst port 5296" label="From-Botnet-V1-TCP-CC55-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 222.88.205.195 and dst port 443" label="From-Botnet-V1-TCP-CC54-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 31.192.109.167 and dst port 80" label="From-Botnet-V1-TCP-CC53-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 78.129.227.128 and dst port 5231" label="From-Botnet-V1-TCP-CC52-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 78.129.163.119 and dst port 6251" label="From-Botnet-V1-TCP-CC51-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 218.189.208.34 and dst port 6667" label="From-Botnet-V1-TCP-CC50-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 217.34.4.226 and dst port 6667" label="From-Botnet-V1-TCP-CC49-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 217.34.4.225 and dst port 6667" label="From-Botnet-V1-TCP-CC48-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 211.157.110.34 and dst port 6667" label="From-Botnet-V1-TCP-CC47-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 200.171.4.222 and dst port 6667" label="From-Botnet-V1-TCP-CC46-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 184.106.213.57 and dst port 6667" label="From-Botnet-V1-TCP-CC45-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 115.85.238.119 and dst port 6667" label="From-Botnet-V1-TCP-CC44-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 89.103.213.96 and dst port 6667" label="From-Botnet-V1-TCP-CC43-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 86.123.31.54 and dst port 6667" label="From-Botnet-V1-TCP-CC42-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 82.128.83.29 and dst port 6667" label="From-Botnet-V1-TCP-CC41-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 81.10.0.18 and dst port 6667" label="From-Botnet-V1-TCP-CC40-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 66.18.85.2 and dst port 6667" label="From-Botnet-V1-TCP-CC39-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.177.120.254 and dst port 6667" label="From-Botnet-V1-TCP-CC38-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.17.216.94 and dst port 6667" label="From-Botnet-V1-TCP-CC37-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.17.216.92 and dst port 6667" label="From-Botnet-V1-TCP-CC36-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.17.216.86 and dst port 6667" label="From-Botnet-V1-TCP-CC35-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.17.216.4 and dst port 6667" label="From-Botnet-V1-TCP-CC34-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.17.216.25 and dst port 6667" label="From-Botnet-V1-TCP-CC33-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.17.216.22 and dst port 6667" label="From-Botnet-V1-TCP-CC32-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.17.216.15 and dst port 6667" label="From-Botnet-V1-TCP-CC31-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.167.116.133 and dst port 6667" label="From-Botnet-V1-TCP-CC30-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.150.114.216 and dst port 6667" label="From-Botnet-V1-TCP-CC29-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 60.173.109.42 and dst port 6667" label="From-Botnet-V1-TCP-CC28-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 58.42.247.143 and dst port 6667" label="From-Botnet-V1-TCP-CC27-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 58.215.78.1 and dst port 6667" label="From-Botnet-V1-TCP-CC26-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 61.177.120.254 and dst port 6667" label="From-Botnet-V1-TCP-CC25-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 86.123.31.54 and dst port 6667" label="From-Botnet-V1-TCP-CC24-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 195.190.13.78 and dst port 80" label="From-Botnet-V1-TCP-CC23-Plain-HTTP-Encrypted-Data" filter="src host 10.0.2.106 and tcp and synack and dst host 174.133.57.141 and dst port 80" label="From-Botnet-V1-TCP-CC22-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 60.173.109.42 and dst port 6667" label="From-Botnet-V1-TCP-CC21-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 195.190.13.70 and dst port 80" label="From-Botnet-V1-TCP-CC20-Plain-HTTP-Encrypted-Data" filter="src host 10.0.2.106 and tcp and synack and dst host 221.207.141.60 and dst port 6667" label="From-Botnet-V1-TCP-CC19-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 219.232.102.130 and dst port 6667" label="From-Botnet-V1-TCP-CC18-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 219.145.198.122 and dst port 6667" label="From-Botnet-V1-TCP-CC17-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 173.192.170.88 and dst port 80" label="From-Botnet-V1-TCP-CC16-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 204.12.208.59 and dst port 443" label="From-Botnet-V1-TCP-CC15-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 202.112.126.218 and dst port 6667" label="From-Botnet-V1-TCP-CC14-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 208.110.80.34 and dst port 443" label="From-Botnet-V1-TCP-CC13-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 91.220.0.52 and dst port 80" label="From-Botnet-V1-TCP-CC12-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and tcp and synack and dst host 212.117.161.86 and dst port 65500" label="From-Botnet-V1-TCP-CC11-Not-Encrypted-Multiprotocol-Proxy" filter="src host 10.0.2.106 and tcp and synack and dst host 89.149.217.37 and dst port 65500" label="From-Botnet-V1-TCP-CC10-Not-Encrypted-Multiprotocol-Proxy" filter="src host 10.0.2.106 and tcp and synack and dst host 50.7.244.234 and dst port 65500" label="From-Botnet-V1-TCP-CC9-Not-Encrypted-Multiprotocol-Proxy" filter="src host 10.0.2.106 and tcp and synack and dst host 212.117.171.138 and dst port 65500" label="From-Botnet-V1-TCP-CC8-Not-Encrypted-Multiprotocol-Proxy" filter="src host 10.0.2.106 and tcp and synack and dst host 74.3.164.222 and dst port 443" label="From-Botnet-V1-TCP-CC7-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 60.190.223.75 and dst port 888" label="From-Botnet-V1-TCP-CC6-Plain-HTTP-Encrypted-Data" filter="src host 10.0.2.106 and tcp and synack and dst host 94.63.150.63 and dst port 80" label="From-Botnet-V1-TCP-CC5-Plain-HTTP-Encrypted-Data" filter="src host 10.0.2.106 and tcp and synack and dst host 83.133.119.197 and dst port 65520" label="From-Botnet-V1-TCP-CC4-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 174.123.157.154 and dst port 80" label="From-Botnet-V1-TCP-CC3-HTTP-Not-Encrypted" filter="src host 10.0.2.106 and udp and con and dst host 188.72.241.107 and dst port 3524" label="From-Botnet-V1-UDP-CC2-Custom-Encryption" filter="src host 10.0.2.106 and tcp and synack and dst host 58.42.247.165 and dst port 6667" label="From-Botnet-V1-TCP-CC1-HTTP-Not-Encrypted" # TCP Actions. Same state, same label filter="src host 10.0.2.106 and tcp and synack and dst host 65.55.72.7 and dst port 443" label="From-Botnet-V1-TCP-Established-Custom-Encryption-1" # UDP Actions. Same state, same label filter="src host 10.0.2.106 and udp and con and dst host 219.133.60.36 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.106 and udp and con and dst host 58.60.14.37 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.106 and udp and con and dst host 219.133.49.171 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.106 and udp and con and dst host 58.60.15.39 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.106 and udp and con and dst host 112.90.138.160 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.16.12 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.16.244 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.16.10 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.49.126 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 112.90.86.181 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.48.105 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.49.31 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.49.123 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 119.147.45.89 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 112.90.86.183 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 119.147.45.15 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.49.124 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.48.104 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.16.16 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.49.30 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.16.17 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 112.90.86.182 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.49.33 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 112.95.240.134 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 112.90.86.184 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.48.101 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 112.95.240.74 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 119.147.45.254 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 119.147.45.251 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.48.103 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 183.60.16.15 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.106 and udp and con and dst host 119.147.45.253 and dst port 8000" label="From-Botnet-V1-UDP-Established-Custom-Encryption-1" # From Botnet to Google filter="src host 10.0.2.106 and tcp and synack and dst net 195.113.214.0/24 and dst port 80" label="From-Botnet-V1-TCP-HTTP-Google-Net-Established-1" filter="src host 10.0.2.106 and tcp and synack and dst net 209.85.148.0/24 and dst port 80" label="From-Botnet-V1-TCP-HTTP-Google-Net-Established-2" filter="src host 10.0.2.106 and tcp and synack and dst net 173.194.112.0/24 and dst port 80" label="From-Botnet-V1-TCP-HTTP-Google-Net-Established-3" filter="src host 10.0.2.106 and tcp and synack and dst net 173.194.113.0/24 and dst port 80" label="From-Botnet-V1-TCP-HTTP-Google-Net-Established-4" filter="src host 10.0.2.106 and tcp and synack and dst net 173.194.114.0/24 and dst port 80" label="From-Botnet-V1-TCP-HTTP-Google-Net-Established-5" filter="src host 10.0.2.106 and tcp and synack and dst net 74.125.0.0/16 and dst port 80" label="From-Botnet-V1-TCP-HTTP-Google-Net-Established-6" filter="src host 10.0.2.106 and tcp and synack and dst net 209.85.149.0/24 and dst port 80" label="From-Botnet-V1-TCP-HTTP-Google-Net-Established-7" # From botnet to Java update filter="src host 10.0.2.106 and tcp and synack and dst host 72.5.123.29 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Java-1" # From botnet to Adobe update filter="src host 10.0.2.106 and tcp and synack and dst host 66.235.128.158 and dst port 443" label="From-Botnet-V1-TCP-Established-HTTP-SSL-Adobe-5" filter="src host 10.0.2.106 and tcp and synack and dst host 195.113.232.91 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Adobe-4" filter="src host 10.0.2.106 and tcp and synack and dst host 193.45.10.152 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Adobe-3" filter="src host 10.0.2.106 and tcp and synack and dst host 193.45.10.168 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Adobe-2" filter="src host 10.0.2.106 and tcp and synack and dst host 217.212.238.64 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-Adobe-1" # From botnet to AVG filter="src host 10.0.2.106 and tcp and synack and dst host 66.235.133.14 and dst port 80" label="From-Botnet-V1-TCP-Established-To-AVG-1" # From botnet to Microsoft filter="src host 10.0.2.106 and tcp and synack and dst host 64.4.56.87 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-To-Microsoft-Live-3" filter="src host 10.0.2.106 and tcp and synack and dst host 65.54.234.75 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-To-Microsoft-Live-2" filter="src host 10.0.2.106 and tcp and synack and dst host 94.245.116.9 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-To-Microsoft-Live-1" filter="src host 10.0.2.106 and tcp and synack and dst host 64.4.56.103 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-To-Microsoft-7" filter="src host 10.0.2.106 and tcp and synack and dst host 64.4.2.109 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-To-Microsoft-6" filter="src host 10.0.2.106 and tcp and synack and dst host 64.4.56.23 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-To-Microsoft-5" filter="src host 10.0.2.106 and tcp and synack and dst host 65.55.75.231 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-To-Microsoft-4" filter="src host 10.0.2.106 and tcp and synack and dst host 65.55.72.7 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-To-Microsoft-3" filter="src host 10.0.2.106 and tcp and synack and dst host 64.4.52.169 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-To-Microsoft-2" filter="src host 10.0.2.106 and tcp and synack and dst host 65.55.13.243 and dst port 80" label="From-Botnet-V1-TCP-Established-HTTP-To-Microsoft-1" filter="src host 10.0.2.106 and tcp and synack and dst host 65.54.186.10 and dst port 443" label="From-Botnet-V1-TCP-Established-SSL-To-Microsoft-7" filter="src host 10.0.2.106 and tcp and synack and dst host 65.55.40.23 and dst port 443" label="From-Botnet-V1-TCP-Established-SSL-To-Microsoft-6" filter="src host 10.0.2.106 and tcp and synack and dst host 65.54.234.78 and dst port 443" label="From-Botnet-V1-TCP-Established-SSL-To-Microsoft-5" filter="src host 10.0.2.106 and tcp and synack and dst host 65.55.16.187 and dst port 443" label="From-Botnet-V1-TCP-Established-SSL-To-Microsoft-4" filter="src host 10.0.2.106 and tcp and synack and dst host 65.54.234.24 and dst port 443" label="From-Botnet-V1-TCP-Established-SSL-To-Microsoft-3" filter="src host 10.0.2.106 and tcp and synack and dst host 65.55.40.215 and dst port 443" label="From-Botnet-V1-TCP-Established-SSL-To-Microsoft-2" filter="src host 10.0.2.106 and tcp and synack and dst host 157.55.0.135 and dst port 443" label="From-Botnet-V1-TCP-Established-SSL-To-Microsoft-1" ######################### # Generic for this Botnet # Netbios requests from botnet in the lan filter="src host 10.0.2.106 and udp and not con and dst port 137" label="From-Botnet-V1-UDP-Attempt-NetBIOS" # States are too different... maybe can be splited... filter="src host 10.0.2.106 and tcp and synack and dst port 80 or dst port 443" label="From-Botnet-V1-TCP-WEB-Established" filter="src host 10.0.2.106 and tcp and synack and dst port 25" label="From-Botnet-V1-TCP-Established-SPAM" filter="src host 10.0.2.106 and tcp and synack and dst port 587" label="From-Botnet-V1-TCP-Established-SPAM" filter="src host 10.0.2.106 and tcp and syn and dst port 25" label="From-Botnet-V1-TCP-Attempt-SPAM" filter="src host 10.0.2.106 and tcp and syn and dst port 587" label="From-Botnet-V1-TCP-Attempt-SPAM" filter="src host 10.0.2.106 and tcp and synack" label="From-Botnet-V1-TCP-Established" filter="src host 10.0.2.106 and tcp and syn" label="From-Botnet-V1-TCP-Attempt" filter="src host 10.0.2.106 and udp and con and dst port 53" label="From-Botnet-V1-UDP-DNS" filter="src host 10.0.2.106 and udp and not con and dst port 53" label="From-Botnet-V1-UDP-Attempt-DNS" # State: 440u0u0u0u, 110u0u, 440u0u0u0u0u0u0u, 140u0u0r0u, 440u0u0u0u0u0u0u0u0u0u0u0u0u0u0u0u0u0 filter="src host 10.0.2.106 and udp and not con" label="From-Botnet-V1-UDP-Attempt" filter="src host 10.0.2.106 and udp and con" label="From-Botnet-V1-UDP-Established" # ARP filter="src host 10.0.2.106 and arp" label="From-Botnet-V1-ARP" ############################################################################################################################################################### ############### # Generic rules # Normal lables filter="src host 147.32.1.20 or src host 147.32.80.9" label="From-Normal-CVUT-DNS-Server" filter="dst host 147.32.1.20 or dst host 147.32.80.9" label="To-Background-CVUT-DNS-Server" # proxy filter="src host 147.32.80.13" label="From-Background-CVUT-Proxy" filter="dst host 147.32.80.13" label="To-Background-CVUT-Proxy" # grill filter="src host 147.32.84.164" label="From-Normal-Grill" filter="dst host 147.32.84.164" label="To-Background-Grill" # jist filter="src host 147.32.84.134" label="From-Normal-Jist" filter="dst host 147.32.84.134" label="To-Background-Jist" # stribrek filter="src host 147.32.84.170" label="From-Normal-Stribrek" filter="dst host 147.32.84.170" label="To-Background-Stribrek" # matlab server filter="src host 147.32.87.11" label="From-Normal-MatLab-Server" filter="dst host 147.32.87.11" label="To-Background-MatLab-Server" # webserver FIXXXXXXXX filter="src host 147.32.87.36" label="From-Normal-CVUT-WebServer" filter="dst host 147.32.87.36" label="To-Background-CVUT-WebServer" # ntp server UDP 82.208.56.89 77.78.110.71 filter="dst host 82.208.56.89 and dst port 123 and udp" label="To-Normal-UDP-NTP-server" # Background from CVUT we are not sure about if they are completely normal. # exile 147.32.80.76 filter="host 147.32.80.76" label="Background-Exile-Host-CVUT" # smith 147.32.80.72 filter="host 147.32.80.72" label="Background-Smith-Host-CVUT" # smith2 147.32.80.184 filter="host 147.32.80.184" label="Background-Smith2-Host-CVUT" # jones 147.32.80.102 filter="host 147.32.80.102" label="Background-Jones-Host-CVUT" # webdav.agents 147.32.80.109 filter="host 147.32.80.109" label="Background-Webdav.agents-Host-CVUT" # knock 147.32.80.75 filter="host 147.32.80.75" label="Background-Knock-Host-CVUT" # agents 147.32.80.88 filter="host 147.32.80.88" label="Background-Agents-Host-CVUT" # vmm 147.32.83.60 filter="host 147.32.83.60" label="Background-Vmm-Host-CVUT" # info336 147.32.80.73 filter="host 147.32.83.73" label="Background-Info336-Host-CVUT" # cs 147.32.80.1 filter="host 147.32.80.1" label="Background-CS-Host-CVUT" # www.fel.cvut.cz 147.32.192.13 filter="host 147.32.192.13" label="Background-www.fel.cvut.cz" # cmpgw-27.felk.cvut.cz 147.32.84.59 (not sure if everything is normal) filter="host 147.32.84.59 and not con" label="Background-Attempt-cmpgw-CVUT" filter="host 147.32.84.59 and con" label="Background-Established-cmpgw-CVUT" ########################## # Background from Internet # google-analytics filter="host 74.125.232.192" label="Background-google-analytics1" filter="host 74.125.232.193" label="Background-google-analytics2" filter="host 74.125.232.194" label="Background-google-analytics3" filter="host 74.125.232.195" label="Background-google-analytics4" filter="host 74.125.232.196" label="Background-google-analytics5" filter="host 74.125.232.197" label="Background-google-analytics6" filter="host 74.125.232.198" label="Background-google-analytics7" filter="host 74.125.232.199" label="Background-google-analytics8" filter="host 74.125.232.200" label="Background-google-analytics9" filter="host 74.125.232.201" label="Background-google-analytics10" filter="host 74.125.232.202" label="Background-google-analytics11" filter="host 74.125.232.203" label="Background-google-analytics12" filter="host 74.125.232.204" label="Background-google-analytics13" filter="host 74.125.232.205" label="Background-google-analytics14" filter="host 74.125.232.206" label="Background-google-analytics15" filter="host 74.125.232.207" label="Background-google-analytics16" # google-webemail filter="host 74.125.232.213" label="Background-google-webmail" # google-pop-email filter="host 74.125.39.108" label="Background-google-pop" # ajax.googleapis.com filter="host 209.85.149.95" label="Background-ajax.google" # Windows update filter="host 207.200.96.138 and port 80" label="Normal-HTTP-windowsupdate" filter="host 74.125.218.80 and port 80" label="Normal-HTTP-windowsupdate" filter="host 207.200.96.138 and port 80" label="Normal-HTTP-windowsupdate" filter="host 74.125.108.212 and port 80" label="Normal-HTTP-windowsupdate" filter="host 74.125.108.199 and port 80" label="Normal-HTTP-windowsupdate" # Normal generic rules. Be careful. # Google talk voice and video. filter="udp and con and dst net 74.125.47.0/24 and dst port 19295" label="Background-UDP-Google-Voice-Video-Net-Established-1" # Google, imac of jabber chat. filter="tcp and synack and dst net 209.85.163.0/24 and dst port 5222" label="Background-TCP-Google-Jabber-Chat-Net-Established-1" # NTP filter="udp and con and dst port 123" label="Background-UDP-NTP-Established-1" ######################### # Final Background labels filter="tcp and synack" label="Background-TCP-Established" filter="tcp and syn" label="Background-TCP-Attempt" filter="udp and con" label="Background-UDP-Established" filter="udp and not con" label="Background-UDP-Attempt" filter="" label="Background"