# Botnet labels # (e9) State:33t filter="src host 10.0.2.110 and tcp and synack and dst host 82.128.83.29 and dst port 6667" label="From-Botnet-V31-1-TCP-HTTP-Not-Encrypted-Down-3" # (e9) State:31r0t # (e9) State:31rt filter="src host 10.0.2.110 and tcp and synack and dst host 211.157.110.34 and dst port 6667" label="From-Botnet-V31-1-TCP-HTTP-Not-Encrypted-Down-2" # (e9) State:110r # (e9) State:13t filter="src host 10.0.2.110 and tcp and synack and dst host 66.18.85.2 and dst port 6667" label="From-Botnet-V31-1-TCP-HTTP-Not-Encrypted-Down-1" # (e2) State:33ctttctttttttstcccccaccccccccccccccccccccacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCttttcCBccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccacccccccccctCCsBaaaccccccccccccccccccccccccccccccccccccccccccccccccccaccccccccccccccccccccttcCctcccccccccccccccccccccaccccccccccccccccccccccccacacccccttttcccccccccccccccccccccccccccccccccccccbcccccccccccccccccccccccccccccccccccccaccccccccccccccccccccccccctCtscccbccccccccccccccccccccccccccccccccaccccccccccccccccccccccccccccccccacaccaacccccccccccccCstccaccccbcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCccttcccACcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctsccccccccccccccccccbccccccccccccccccccccacccccccccccccccCcCcttaaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccacccccccccctCcCcttcccccccccccccccccccccccccccccccccbcccccccccccccccccccccccccccccccccccccccccCcCcttcccccccccccccccccccccccbccccccccccccccccccccccccccccccccccccccccccccttccCCtcccbcccccccccccccccccccccccccccccccacccccccccccccccccccCctctCccccccccccccccccccccccccccccccccccccccccccccccccccccccCcCcttCcccccccccccccccccccccccccccbccccccccccccccccccccccccccccccccccccttttttttttttattttttttctCttttttttttttctttrtttBCtttttttctttratttrrtttttttttttCttCttttsrtstrrrrrrarrArrrrrrrrrrrrasBrrrrrrrrArrrrrrrrrrarrrrrrrrrrrrrrara filter="src host 10.0.2.110 and tcp and synack and dst host 72.20.15.61 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Persistent-Down-1" # (e2) State:33ttttttCtttttCrraaaaaacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttrrccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttcrrAAaaaaaaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctrraacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCccccctCrraaaaaaccaacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCtcCrracccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctrraaaaaaacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttctCCCccccccccccccccccccccccccccccccccccccccccccccccccCcCaraacacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCcCcCCCcCCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCttCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCcCcCcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttCcccCCCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCccCccccCCCCcccccccccccccccccccccccccccccccccccccccccccccccccccccCcCcCccccccCCCcccccccccccccccccccccccccccccccccccccccccccccccccccCcccccccttccccccccccccccccccccccccccccccccccccccccccccccccccccrrrrrrrrrrrrrrrrrrrrrrarrrarrrrrrrAArrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrArrrrrrrrrrrrrrrrrrrrrrrraArrrrrrrrrraarrrrrrrrrrrrrAArrrrrrrArarrr filter="src host 10.0.2.110 and tcp and synack and dst host 193.23.181.44 and dst port 179" label="From-Botnet-V31-1-TCP-HTTP-Persistent-Down-1" # (e2) State:33ttttctcctttttrraaaaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttCAraaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCttrrcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctAraaaaaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCArAacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctAraaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccrraaacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCCCccccCCtccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCrraaaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCccccttccCCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCttCCCCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttcCCttcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCcCcttccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCttccccccccccccccccccccccccccccccccccccccccccccccccccccccccCcCCttCccccccccccccccccccccccccccccccccccccccccccccctccCtcccccccccccccccccccccccccccccccccccccccccccccccccccccccrrrrrrrrAarrrAarrrrrrrrArrrrrrrrrrrrrrrrrrrrrrrrrrrrrararrrrrrrrrrrrrarrrrrrrrrrrrrrrarrrrrrrrrrArrrrrrrrrrrrraArrrrrrrarrArrrrrrrrrrrrrrrrrrrAarrrrrrrrrarrraarrrr filter="src host 10.0.2.110 and tcp and synack and dst host 193.23.181.44 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Persistent-Down-1" # (e2) State:33cccctttcttttctttcttcttttttttttttttcttccccccccccccccccccccccccccccccccacccccccccccccccccccccccccaaaacccccccaacccccccccccccaacttcccttCcccccccccccccccccccccccccccccccccccaaaacccccccccccccccccccccccccccccccccccccccccccccccccccccccttcCtttccCccccccccccccccccaccccccccccccccccccccccccccccccccccccccccccccccccccccccccaccCCtttcCcccccccccccccccccaccccccccccccccccccccccccccccccacccccccccccccccccccccCtttcaccccccccccccccccccccccccccccacccccccccccccccccccccccccccccccccccccccccccccccccccctttCttcccccccccccccccccccccccccccccccbbbcccccccccccccccccccccccbbbccccccccccccccccCcccCcccccccccccccccccccccacccaacccccccccccccccccccccccccccaccccccccccccccccccccccccccccCCcCtccccccccccccccccccccccccccccccccccccccccccccccccccccaccccccccccccccccccccccccccccccCcttcccccCccccccccccccccccccccccccccccccccccccacccccccccccacccaccttCCtCcccccccccccccccccccccccbbbbcccccccccccccccccccccccacccccccccccccccccccccccccccccccttccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccaacccccCCcccccCcccccccccccccccccccccbbcccccccccccccccccaaaacccccccccccccccccccccccccccccccccccccCCccCCttcccccccccccccaccccccccccccccccccccccccccccccccccccccccaacccccccCCccttccccccccccccccccccccccccccccccccccccccccccccccccccccctcctccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCcccccCctccccccccccccccccccccccccccccccccccaaccccccccccccccacccccttttttttcCttttttcttrttttrcttttctttrCttcttAttttttrtrttttcttttcCttCtctttCrttttttttttttcttttttccAttrtcCttArArtrarrrrAarrrrrrrrrrrssArrrArarrarArrrrrrrraArrararrArrrrrArrrrrrArrrrrrrrrAr filter="src host 10.0.2.110 and tcp and synack and dst host 174.37.196.55 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Persistent-Down-1" # (e2) State:33cctttttCtttttttttttttttttCcttatccaaaaccbcccccccccccccccccccaaaacccccccccccaccccccccccccccccaaaccccccccccccccccCttacccaaccccccccccccccccccccccccccccccccccccacccccccccccccccccccccccccccccccccccccccttttccccccccaccaccccccccccccccccccccccccccccccccccccccccccacccccccccccccccccccccccccccccccCCtttctrcccaccaccccccccccccccccccccccccccccccccccccccccccccccccccccccacccccccccccccccccccccccccccccccccccccccccttattccccacacaacccbccccccccccccccccccccccccccccccccccccccccccccabcccccccccbcacccccccccccccccccacccCCrtAaabbbccccccccccccccccccccccccccccccbccaaacacccccccccccccccccccccccccccccaaaaccccccttcccttccccccccccccccaacaacccccccccccccccccccccccccccccccacccccccccccccccccccaaacacccbcccttcAAtcccccccaabcccccccccccccccccccccccccccccacaabacccccccccccccccccaaccccccccacaccttccccccccbccccccccccccccccccaccccccccccccccccccccccccccccccccccccccttcccccccbccccccccccccccccccccccccccccccccccccccccccbcacccccccccttccttccccbcccacccccccccccccccabccccccccccccccccccccccccccccccCabArtcCCabcbccccccccccccccccccbacccccccccccccccccccbccaccccccccccccccctscCcBtaaaCccbcccccccccccccccccccccaccccccccccccccccccacccccccccccccCtccttBCcccccccccccccccccccccccaccccccccccccccccccaacccccccccAtccaattcabacbccccccccccccccccccccccccbaccacccccccccccccccccaccccccctCtccccaccccbcccccccccccccccccccccccccccbccccccccccttrsarttrtstttrttrtbtCasttstCastttrtsstttCttCtrccrCttttttCtttstrttrCCtttcttttttrtttttctttttcttttttttttcrrtttccrttrttttttttttCtttttttttttttttcttttrrrrtrrtttstArtrtttttttt filter="src host 10.0.2.110 and tcp and synack and dst host 174.128.246.102 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Persistent-Down-1" # Seems to be a CC, but we can not be sure because the connection is DOWN and not answering. So it is more like a down connection with automatic retrying. # (e7) State:99ciiiiizziiittcccc filter="src host 10.0.2.110 and tcp and synack and dst host 174.128.246.102 and dst port 80" label="From-Botnet-V31-1-TCP-Persistent-Down-2" # ICMP filter="src host 10.0.2.110 and icmp" label="From-Botnet-V31-1-ICMP" filter="src host 10.0.2.110 and tcp and dst host 83.93.14.138 and dst port 9931" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 71.10.54.162 and dst port 3760" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 14.37.114.237 and dst port 3088" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 41.32.182.114 and dst port 8340" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 184.182.240.239 and dst port 7058" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 94.240.219.11 and dst port 9035" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 176.73.204.12 and dst port 8437" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 74.65.6.17 and dst port 2418" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 176.73.211.244 and dst port 8034" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 94.251.184.74 and dst port 9386" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 82.211.142.218 and dst port 9811" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 190.55.44.98 and dst port 5186" label="From-Botnet-V31-1-TCP-Custom-Encryption-1" filter="src host 10.0.2.110 and tcp and dst host 69.115.119.227 and dst port 1106" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 174.76.94.24 and dst port 2458" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 36.238.35.80 and dst port 2708" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 208.105.172.66 and dst port 2747" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 88.247.80.140 and dst port 1335" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 201.255.94.8 and dst port 4423" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 151.233.138.31 and dst port 9338" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 24.107.136.226 and dst port 5630" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 71.205.243.23 and dst port 1604" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 88.203.75.4 and dst port 3532" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 99.157.164.179 and dst port 3409" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 91.236.245.22 and dst port 5326" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 75.99.113.250 and dst port 4891" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 67.209.198.223 and dst port 5901" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 83.217.187.33 and dst port 2440" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 88.130.164.213 and dst port 9291" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 75.11.171.237 and dst port 6259" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 92.4.140.211 and dst port 6775" label="From-Botnet-V31-1-TCP-Custom-Encryption-2" filter="src host 10.0.2.110 and tcp and dst host 5.178.178.199 and dst port 4758" label="From-Botnet-V31-1-TCP-Custom-Encryption-3" filter="src host 10.0.2.110 and tcp and dst host 213.219.135.107 and dst port 1435" label="From-Botnet-V31-1-TCP-Custom-Encryption-4" filter="src host 10.0.2.110 and tcp and dst host 24.107.118.64 and dst port 1128" label="From-Botnet-V31-1-TCP-Custom-Encryption-4" filter="src host 10.0.2.110 and tcp and dst host 194.246.126.196 and dst port 7306" label="From-Botnet-V31-1-TCP-Custom-Encryption-4" filter="src host 10.0.2.110 and tcp and dst host 97.93.7.68 and dst port 1620" label="From-Botnet-V31-1-TCP-Custom-Encryption-4" filter="src host 10.0.2.110 and tcp and dst host 46.48.247.67 and dst port 29365" label="From-Botnet-V31-1-TCP-Custom-Encryption-5" filter="src host 10.0.2.110 and tcp and dst host 95.104.10.167 and dst port 7786" label="From-Botnet-V31-1-TCP-Custom-Encryption-5" filter="src host 10.0.2.110 and tcp and dst host 46.48.233.117 and dst port 22868" label="From-Botnet-V31-1-TCP-Custom-Encryption-5" filter="src host 10.0.2.110 and tcp and dst host 82.211.167.134 and dst port 4066" label="From-Botnet-V31-1-TCP-Custom-Encryption-6" filter="src host 10.0.2.110 and tcp and dst host 46.48.235.191 and dst port 11550" label="From-Botnet-V31-1-TCP-Custom-Encryption-7" filter="src host 10.0.2.110 and tcp and synack and dst host 218.29.42.137 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-12" filter="src host 10.0.2.110 and tcp and synack and dst host 222.73.45.106 and dst port 88" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-11" filter="src host 10.0.2.110 and tcp and synack and dst host 122.228.199.136 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-10" filter="src host 10.0.2.110 and tcp and synack and dst host 61.147.99.179 and dst port 81" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-9" filter="src host 10.0.2.110 and tcp and synack and dst host 61.160.209.212 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-8" filter="src host 10.0.2.110 and tcp and synack and dst host 60.190.223.75 and dst port 2012" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-Custom-Port-7" filter="src host 10.0.2.110 and tcp and synack and dst host 60.190.223.75 and dst port 2011" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-Custom-Port-6" filter="src host 10.0.2.110 and tcp and synack and dst host 60.190.223.75 and dst port 88" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-Custom-Port-5" filter="src host 10.0.2.110 and tcp and synack and dst host 122.224.6.164 and dst port 82" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-Custom-Port-4" filter="src host 10.0.2.110 and tcp and synack and dst host 195.88.191.59 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-3" filter="src host 10.0.2.110 and tcp and synack and dst host 91.228.230.31 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-2" filter="src host 10.0.2.110 and tcp and synack and dst host 94.63.149.152 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Binary-Download-1" # Advertisement # (e9) State:11raAA filter="src host 10.0.2.110 and tcp and synack and dst host 174.123.157.154 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-64" # (e1) State:99xgiiiggggigghgiIigiggiIighiggghggigigigighhgigigggigigggigighihiggiihgiggzzziiiigiihigiigiiiiIgighigiiiggiiyziggihgiiiiiigIggigiigiiigghggiigigiigigigghggigiigggggiggihighhhgigggiggizGIGGIGGGiGxIhII0zyxgGGGHGIGIIGHgIzxzgghgIFIhIIIGGHiIxxgHgGIgiiIIHHHGGiIHIghggGGHGiIhiIihigIIghhihiiiggiiiighihigiigiiiiiigigiiiigiiihiigiiiihihiiiiihiiihiihhxGhhIGIIIGi # (e2) State:11rAv filter="src host 10.0.2.110 and tcp and synack and dst host 174.133.57.141 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-63" filter="src host 10.0.2.110 and tcp and synack and dst host 195.113.232.90 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-62" filter="src host 10.0.2.110 and tcp and synack and dst host 74.125.232.218 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-61" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.179.212 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-60" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.185.212 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-59" filter="src host 10.0.2.110 and tcp and synack and dst host 74.117.116.66 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-58" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.179.213 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-57" filter="src host 10.0.2.110 and tcp and synack and dst host 74.117.116.94 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-56" filter="src host 10.0.2.110 and tcp and synack and dst host 195.113.232.82 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-55" filter="src host 10.0.2.110 and tcp and synack and dst host 69.64.147.243 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-54" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.185.207 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-53" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.185.206 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-52" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.185.214 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-51" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.179.210 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-50" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.185.215 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-49" filter="src host 10.0.2.110 and tcp and synack and dst host 195.113.232.81 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-48" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.185.205 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-47" filter="src host 10.0.2.110 and tcp and synack and dst host 94.63.150.52 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-46" filter="src host 10.0.2.110 and tcp and synack and dst host 217.163.21.37 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-45" filter="src host 10.0.2.110 and tcp and synack and dst host 74.125.232.217 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-44" filter="src host 10.0.2.110 and tcp and synack and dst host 173.241.240.4 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-43" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.179.209 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-42" filter="src host 10.0.2.110 and tcp and synack and dst host 217.163.21.36 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-41" filter="src host 10.0.2.110 and tcp and synack and dst host 195.113.232.98 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-40" filter="src host 10.0.2.110 and tcp and synack and dst host 92.240.244.181 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-39" filter="src host 10.0.2.110 and tcp and synack and dst host 184.82.147.252 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-38" filter="src host 10.0.2.110 and tcp and synack and dst host 195.113.232.83 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-37" filter="src host 10.0.2.110 and tcp and synack and dst host 70.32.97.26 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-36" filter="src host 10.0.2.110 and tcp and synack and dst host 184.82.155.108 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-35" filter="src host 10.0.2.110 and tcp and synack and dst host 217.163.21.34 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-34" filter="src host 10.0.2.110 and tcp and synack and dst host 217.163.21.40 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-33" filter="src host 10.0.2.110 and tcp and synack and dst host 195.113.232.96 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-32" filter="src host 10.0.2.110 and tcp and synack and dst host 184.82.148.44 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-31" filter="src host 10.0.2.110 and tcp and synack and dst host 64.236.79.229 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-30" filter="src host 10.0.2.110 and tcp and synack and dst host 93.184.220.20 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-29" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.185.210 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-28" filter="src host 10.0.2.110 and tcp and synack and dst host 217.110.110.231 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-27" filter="src host 10.0.2.110 and tcp and synack and dst host 184.82.148.44 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-26" filter="src host 10.0.2.110 and tcp and synack and dst host 217.163.21.38 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-25" filter="src host 10.0.2.110 and tcp and synack and dst host 67.201.31.224 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-24" filter="src host 10.0.2.110 and tcp and synack and dst host 87.248.203.254 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-23" filter="src host 10.0.2.110 and tcp and synack and dst host 50.23.235.4 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-22" filter="src host 10.0.2.110 and tcp and synack and dst host 174.36.246.56 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-21" filter="src host 10.0.2.110 and tcp and synack and dst host 67.214.158.5 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-20" filter="src host 10.0.2.110 and tcp and synack and dst host 64.38.232.180 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-19" filter="src host 10.0.2.110 and tcp and synack and dst host 50.22.198.84 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-18" filter="src host 10.0.2.110 and tcp and synack and dst host 74.117.116.77 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-17" filter="src host 10.0.2.110 and tcp and synack and dst host 94.127.76.180 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-16" filter="src host 10.0.2.110 and tcp and synack and dst host 208.73.210.29 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-15" filter="src host 10.0.2.110 and tcp and synack and dst host 95.172.94.64 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-13" filter="src host 10.0.2.110 and tcp and synack and dst host 217.163.21.41 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-12" filter="src host 10.0.2.110 and tcp and synack and dst host 87.248.203.253 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-11" filter="src host 10.0.2.110 and tcp and synack and dst host 77.238.167.32 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-10" filter="src host 10.0.2.110 and tcp and synack and dst host 195.113.232.88 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-yieldmanager-9" filter="src host 10.0.2.110 and tcp and synack and dst host 217.163.21.35 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-yieldmanager-8" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.185.209 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-7" filter="src host 10.0.2.110 and tcp and synack and dst host 68.67.185.217 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-6" filter="src host 10.0.2.110 and tcp and synack and dst host 69.16.175.10 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-5" filter="src host 10.0.2.110 and tcp and synack and dst host 195.113.232.73 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-4" filter="src host 10.0.2.110 and tcp and synack and dst host 195.113.232.97 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-3" filter="src host 10.0.2.110 and tcp and synack and dst host 209.190.94.170 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-2" filter="src host 10.0.2.110 and tcp and synack and dst host 98.126.71.122 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Ad-1" # CC # ###### # (e7) State:99ciiiiizziiittcccc filter="src host 10.0.2.110 and tcp and synack and dst host 123.126.51.33 and dst port 80" label="From-Botnet-V31-1-TCP-CC108-Plain-HTTP" # (e3) State:360t0t0c0c0c0f0f0t0t0c0c0c0c0c0c0f0t0t0c0c0c0c0c0c0c0c0c0w0F0w0t0t0f0c0c0c0c0c0f0c0c0c0c0c0c0c0c0c0c0c0i0w0w0w0w0w0w0w0w0w0w filter="src host 10.0.2.110 and tcp and synack and dst host 193.105.210.21 and dst port 999" label="From-Botnet-V31-1-TCP-CC107-Plain-HTTP-Encrypted-Data" # P2P CC of exp12. Really a small amount # (e12) State:13rww # (e12) State:11sr # (e12) State:11rr # (e12) State:11rr # (e12) State:12rr # NOT GOOD filter="src host 69.104.66.134 and udp and con and dst host 10.0.2.110 and dst port 31037" label="From-Botnet-V31-1-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 222.160.227.154 and udp and con and dst host 10.0.2.110 and dst port 32234" label="From-Botnet-V31-1-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 91.188.37.153 and udp and con and dst host 10.0.2.110 and dst port 32234" label="From-Botnet-V31-1-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 161.200.133.204 and udp and con and dst host 10.0.2.110 and dst port 32234" label="From-Botnet-V31-1-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 93.103.254.175 and udp and con and dst host 10.0.2.110 and dst port 29676" label="From-Botnet-V31-1-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 95.65.17.47 and udp and con and dst host 10.0.2.110 and dst port 32234" label="From-Botnet-V31-1-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 10.0.2.110 and udp and con and dst host 222.160.227.154 and dst port 32234" label="From-Botnet-V31-1-UDP-CC108-Established-P2P-Not-Encrypted-1" # Specific for exp3 only. The IRC was captured as comming from internet because the pcap was broken # (e3) State:30w0t0t0c0c0c0f0f0t0t0c0c0c0c0c0c0f0t0t0c0c0c0c0c0c0c0c0c0w0F0w0t0t0f0c0c0c0c0c0f0c0c0c0c0c0c0c0c0c0c0c0i0w0w0w0w0w0w0w0w0w0w filter="src host 38.229.70.20 and tcp and dst host 10.0.2.110 and dst port 1027" label="From-Botnet-V31-1-TCP-CC107-IRC-Not-Encrypted" # (e10) State:990t # NOT WORKING # Generated FP filter="src host 10.0.2.110 and tcp and synack and dst host 130.239.18.172 and dst port 6667" label="From-Botnet-V31-1-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 89.16.176.16 and dst port 6667" label="From-Botnet-V31-1-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 213.232.93.3 and dst port 6667" label="From-Botnet-V31-1-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 174.143.119.91 and dst port 6667" label="From-Botnet-V31-1-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 78.40.125.4 and dst port 6667" label="From-Botnet-V31-1-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 86.65.39.15 and dst port 6667" label="From-Botnet-V31-1-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 216.155.130.130 and dst port 6667" label="From-Botnet-V31-1-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 82.96.64.4 and dst port 6667" label="From-Botnet-V31-1-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 213.179.58.83 and dst port 6667" label="From-Botnet-V31-1-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 66.252.13.214 and dst port 2081" label="From-Botnet-V31-1-TCP-CC105-IRC-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 95.211.9.145 and dst port 80" label="From-Botnet-V31-1-TCP-CC104-HTTP-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 62.149.140.209 and dst port 80" label="From-Botnet-V31-1-TCP-CC103-HTTP" filter="src host 10.0.2.110 and tcp and synack and dst host 212.124.126.66 and dst port 80" label="From-Botnet-V31-1-TCP-CC102-HTTP-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 194.28.87.64 and dst port 80" label="From-Botnet-V31-1-TCP-CC101-HTTP-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 97.74.144.110 and dst port 80" label="From-Botnet-V31-1-TCP-CC100-HTTP-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 84.59.151.27 and dst port 3285" label="From-Botnet-V31-1-TCP-CC99-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 186.92.137.193 and dst port 2873" label="From-Botnet-V31-1-TCP-CC98-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 212.17.122.207 and dst port 3945" label="From-Botnet-V31-1-TCP-CC97-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 210.210.112.17 and dst port 7465" label="From-Botnet-V31-1-TCP-CC96-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 176.73.233.22 and dst port 6918" label="From-Botnet-V31-1-TCP-CC95-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 172.242.78.165 and dst port 6687" label="From-Botnet-V31-1-TCP-CC94-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 200.84.7.244 and dst port 8038" label="From-Botnet-V31-1-TCP-CC93-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 82.211.161.86 and dst port 2017" label="From-Botnet-V31-1-TCP-CC92-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 78.139.149.134 and dst port 3610" label="From-Botnet-V31-1-TCP-CC91-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 155.230.189.121 and dst port 6758" label="From-Botnet-V31-1-TCP-CC90-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 31.192.7.200 and dst port 5479" label="From-Botnet-V31-1-TCP-CC89-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 211.38.175.27 and dst port 4598" label="From-Botnet-V31-1-TCP-CC88-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 82.211.141.181 and dst port 5977" label="From-Botnet-V31-1-TCP-CC87-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 85.90.169.173 and dst port 6297" label="From-Botnet-V31-1-TCP-CC86-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 89.40.177.36 and dst port 2670" label="From-Botnet-V31-1-TCP-CC85-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 82.17.183.230 and dst port 3113" label="From-Botnet-V31-1-TCP-CC84-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 176.73.98.25 and dst port 6950" label="From-Botnet-V31-1-TCP-CC83-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 95.104.66.207 and dst port 7362" label="From-Botnet-V31-1-TCP-CC82-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 176.73.207.85 and dst port 7491" label="From-Botnet-V31-1-TCP-CC81-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 95.104.77.164 and dst port 3226" label="From-Botnet-V31-1-TCP-CC80-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 75.25.155.129 and dst port 1509" label="From-Botnet-V31-1-TCP-CC79-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 200.91.49.183 and dst port 5371" label="From-Botnet-V31-1-TCP-CC78-Custom-Encryption" # (e7) State:23Aattr filter="src host 10.0.2.110 and tcp and synack and dst host 61.135.188.210 and dst port 80" label="From-Botnet-V31-1-TCP-CC77-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 174.128.235.237 and dst port 88" label="From-Botnet-V31-1-TCP-CC76-HTTP-Custom-Port-Not-Encrypted-Binary-Download" # (e8) State:31sw0r0A0s0r0A0r0s0b0s0r0r0s filter="src host 10.0.2.110 and tcp and synack and dst host 222.73.45.135 and dst port 81" label="From-Botnet-V31-1-TCP-CC75-HTTP-Custom-Port-Not-Encrypted-Non-Periodic" # (e8) State:33CcccccccccccccCCcCttttccccttcttcccccccccccccccccccccCCcttcctccccccccccccccccccccccccccccccccccttttcccccccccccccccccccccccccccccccccctccctcccccccccccccccccccccccccccccCCcctCtttcccccccccccccccccccccccccccccccccctctttcccCtCtttCccc0rtCttccCcCccccccccccccccccccccccccccccCtcctcccccccccccccccccccccccccccccccccctttctcccccccccccttccccccccccccccccccccttcctcccCCccCCCCccttcCCCcCccccccccccccctcctccCCccCCccccccccccccCCcCCCccCCcCCtttttCCcccccccttccttcCCcCCcCcCCCccCccCCtcCtCCccCcCcttccccccccccccccccccccCcCtCctccccttCcccCccCCcccttcccttcccCCcccCtcctttcccCcccCcCCcCCCCcCCccCCcccccCCCCttttcccCttttttcccCcCcccccCCcCcCcttccctcctcccccccCCcccccttcccCccCccCcCcCCccttcctCccccccccccccccCCcccCCCCccccCCcCCttccttccccCCcCCCCcCCccccccccccccccttCctttttccCCcccCCcccCcccCtttCccttcccttcctctttccCCcCcCcttCcccttccccccccccccccccttttccccccccccccccccccccccccccccccccccctttttcccccccccccccccccccccccccccccccccttttccccccccccccccccccccccccccccccccccctttttcccccccccccccccccccccccccccccccccctttttcccccccccccccccccccccccccccccccccttcttccccccccccccccccccccccccccccccccccttttcccccccccccccccccccccccccccca filter="src host 10.0.2.110 and tcp and synack and dst host 222.189.228.111 and dst port 3389" label="From-Botnet-V31-1-TCP-CC74-HTTP-Custom-Port-Not-Encrypted" # (e4) State:71rarrrrrraaaaarrarrraaArrrrrraarrrrrrrraaaaaaa # (e6) State:71rrrrrrraaarrrrrwrrrraarrrrrwarrrarrrrrrrrarrrraarrrrrrrrraarararrrrrrrrarrarrrrrrrrrrrrrrrrrrrrrrrarraarrrrrrrrrabrrrrrarraarrrrrrrarrrrrarararrraararrrrraaarrrrrrrrarrsrrrarraaaararrrraaaaararaaaa # GOOD filter="src host 10.0.2.110 and tcp and synack and dst host 91.212.135.158 and dst port 5678" label="From-Botnet-V31-1-TCP-CC73-Not-Encrypted" # (e2) State:11arrAtaarrrrrrrrArrrrAAarrrArAtrrcrrrarcrrrraaCrrrrrAAArrrrrarrrAAarrrrrrrrrrrrrrrrrrrrr filter="src host 10.0.2.110 and tcp and synack and dst host 184.82.155.107 and dst port 80" label="From-Botnet-V31-1-TCP-CC70-Custom-Encryption" # (e2) State:31aarraarArArrAtrrAArrarrAAAACrArrrAAAAarrraraaArarrrArraarrrarrrarrrCaArraararAraaarArraaAttsrrraarrArArArrrrAaarrrarrAArrrArArrrArrarAaaAaarArArrArrrrrrrarrraAAAaAArrArraAaaaAArrrrrrrrrrrArrrrrraA filter="src host 10.0.2.110 and tcp and synack and dst host 184.82.147.251 and dst port 80" label="From-Botnet-V31-1-TCP-CC69-Custom-Encryption" # (e2) State:11aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaararrrrArrraraarraaaraAraraArararaaatrraArarrrrrraAarrCrrrrrrrrrrrrarrrrrrrArrArrrrrrrrrAarrrrrraArrrrrArrrrtrrrrrrrrrcrrArArrrrrrrrArrrtrrraaarrrrar filter="src host 10.0.2.110 and tcp and synack and dst host 184.82.148.43 and dst port 80" label="From-Botnet-V31-1-TCP-CC66-HTTP-Custom-Encryption" filter="src host 10.0.2.110 and tcp and synack and dst host 67.19.72.206 and dst port 80" label="From-Botnet-V31-1-TCP-CC63-HTTP-Not-Encrypted" # (e2) State:11aaaarrrrrAAarArrraAAraaarrrArrrrrarraAraarraaaa filter="src host 10.0.2.110 and tcp and synack and dst host 31.192.109.161 and dst port 80" label="From-Botnet-V31-1-TCP-CC56-HTTP-Not-Encrypted" # (e1) State:44ddi0z0i0i0i # Some TP. filter="src host 10.0.2.110 and tcp and synack and dst host 213.246.53.125 and dst port 5296" label="From-Botnet-V31-1-TCP-CC55-Custom-Encryption" # (e1) State:66fiffiiiiiffifffiffi filter="src host 10.0.2.110 and tcp and synack and dst host 222.88.205.195 and dst port 443" label="From-Botnet-V31-1-TCP-CC54-Custom-Encryption" # (e1) State:44DdddddddddfdddddddddddddddddddiddddddddDDddddddDddd filter="src host 10.0.2.110 and tcp and synack and dst host 31.192.109.167 and dst port 80" label="From-Botnet-V31-1-TCP-CC53-HTTP-Not-Encrypted" # (e9) State:46tFtwwttwwwwwwwwwwFfttwFCttffFwftCwwcCtftwttfFFtFwwwwwFwwFwcwfwcwt # (e9) State:53twwwtuwwtwwwwFCfcfwwCcFfFfFwwwcfCcwFwwwwffwwwcwtwtCtwtCFwwwCwtFcFcwwwtfttft # (e9) State:46fFcwwtttwwtCwFfFfwFFCtwwcFFwcCcttwttcwwFtwwtffwtwwwwwwwwwwwFvwws # GOOD filter="src host 10.0.2.110 and tcp and synack and dst host 195.190.13.78 and dst port 80" label="From-Botnet-V31-1-TCP-CC23-Plain-HTTP-Encrypted-Data" # (e9) State:46twtCtCftFwwttwwfFfffFctttttCwtCfFtwwwCtwcCttwfFCtwwwwwtwttw # (e9) State:46FwwwwwwFtctCtwFttwwcfCFwttCwFcwFtwwwwttwwCttwwtwtttwCwwtccwwwtws # (e9) State:43wtttftfFctwtcFttCtwtwtwwttwtttFwcwtfttCCCcttwcwwtfctwFwtwwts # (e9) State:43CFfwtwtttFwfwwwtwCFFwfttCfCCFCwtttwFFfwtFwtFwtwwtCftffFCwwtttwCt # (e9) State:46wwftttwtwwwtcFCwtFCFtwwFFfCwwttwwwtFtccwtwFFctFtwtcwftttfwCctCtwts # (e9) State:43wtwftwFwwwtCttftwwctwtwwtCCCfFwftFFwtfttttffwwwwCwwftwwCs # (e9) State:46fwwcCCtttwtwwtttfttFFwwfwwCwCcwwwCFtFCwwwCwFCftwtfFwwwfcwtwtCv # GOOD filter="src host 10.0.2.110 and tcp and synack and dst host 195.190.13.70 and dst port 80" label="From-Botnet-V31-1-TCP-CC20-Plain-HTTP-Encrypted-Data" # This one should match only in e1. In the rest should not be used # (e1) State:96fFIFIIFfiiiiIFFiFififfIfifIffIFfIfifIiiififIFfIfifIFifffiifIiIiIFiiFIifiiifIFfifiFIfHIIiififIFIIfigifIFIFII0zzIzwz0wzz0zzzziiIIiIFiifiiiiifIIFFFFfffifiiIFzzzzzwiIfizzzIFwzhhI0zw0zwwzwwfifIfIiiIIffiIiIiIfFiiifiiffffiiifiiiiffiififffiiiiffifiiffifiIIfifiiifffiIIizwIiIIiF #filter="src host 10.0.2.110 and tcp and synack and dst host 173.192.170.88 and dst port 80" label="From-Botnet-V31-1-TCP-CC16-HTTP-Not-Encrypted" # This one should be used in all the experiments except e1. # (e2) State:33tttstttrttswtttttttttcttttfctwtttttttcttttttttttcttcttttstttttttstttttrwtttttttttrrtt0tsttt0ttstrtttttttttttttttttcttttttttttttttrttt # (e9) State:33crttrttCtcAtttttsttttCawttttAttCtCAwtttCatttttrtttcCattCCttttrtttrttrtttttrtttttBtttCawttttrwttttrwtttttttttCswtCcatttrttttAwttrwtttAwttttt # (e9) State:33rwtttcrtttttrtttttsrttttCsttcCcAttttcBttttAttttbttttAtttrttttCAtttcrwtttrwtttcrrwttttrwtttcBrwtttrwtttCAttccAttttcAwtttcBwtCccB # (e9) State:63ttcrwtttCBwttttAsttttcBttcttsrttttbrttttrwtttAtwtttttrwtttctwttCtattttatttrttBrtttCtattttAtttttcCAttttrttCtrtttttrwtttC # (e9) State:13ttctAwtCtcBwtCtcsrttttrttttattttattttrtttrttrtttttsttCctawtttcrwtttbAwtttCBtttttrttttCawtcCCttttAttttAttttAttttrwtttcrw # (e9) State:33CCatttrrttttAttttatttattrttttcatttttrwtttcattttcswtcttctttttBwtcttAttttAttttattttattttattrttttcsttCtCAwtttCrttttCArwttttrwttttattttsttttFAttttsttttrtttstttt # (e9) State:33ttCAwtttCrtttttAttcCtawtttCatttCtAttttrttttBttttbttttrtttrttttcAwtttcrtttttsttcttrwttttstttttstttttstttttAsrACtttrtttttrttttr # (e9) State:63tCtswttttrwttCtstttttrwtcttswttttrrttCtrrttttattrwttwtrwttttstcCttrwttttwscttrtttttsrttttrttttrrttttstttrwttttrr # (e9) State:33tstttrttrttttCawtCttrrtttttbttttCAttttCattttCsttCcattttAttttatttrttrwtttcsttcttBttttCswttcsrwttttsttttCrwtccrttctrtttttttttAttttrttttc # (e9) State:11rrfttttswttttrttttrttttrttttrttttrttrtttttsrwtCttrwttttstttttstttttstttttrtttrttttsrrCtttrwtttt # (e9) State:63ttcsttttcstttttswCtctrwttttsttcttswttttrwctttrwtCttrttttrttttrttrtttttrwtCttrCttttrwtttstttttrFttttttttctsttCtrwttttrtCttrttttsttCtswttttrFt # # (e13) State:31trtrtttstrttwtsrtrtrtrtrtrtrtrtrtrttttCCtrtrtrtrtrtrtttrtrtrttttttttrtrtrtrtrtrtrtrtrtrtrtttttttrtrtrtrtrtrtrtrtrtrtrtttttttrtrtrtrtrtrtrtrtrtrtrtttttttrtrtrtrtrtrtrtrtrtrtrtttttttttrtrtrtrtrtrtrtrtttrtrttttrtrtrtrtrtrtrtrtrtrtttrtCtctttttbtttrtrtrtrtrtrtrtrtrtrtrtrtrtrtrtrtstrtrtrtrtrtrtrtrtrtrtrtrtrttrttrrtrtstttttttttttttttttttttcctttttttttttttcCtttctttwtttttttCtttttwttttttttttttttttrttttttrtrttrrrstsrttsttrsCttttsttcttttttttttcCttsttt . This one has some FP. # GOOD filter="src host 10.0.2.110 and tcp and synack and dst host 173.192.170.88 and dst port 80" label="From-Botnet-V31-1-TCP-CC16-HTTP-Not-Encrypted" # CC ###################### # These are all CC to port 6667 that are not irc, but some HTTP that sends 2 o 3 flows. Some worked, some not. filter="src host 10.0.2.110 and tcp and synack and dst host 213.92.8.4 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11rArrsrrrBArs # (e9) State:110rr # (e9) State:11rr # (e9) State:11r # (e9) State:11rr # (e9) State:11r # filter="src host 10.0.2.110 and tcp and synack and dst host 202.112.126.218 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r # (e9) State:110r # (e9) State:11r # (e13) State:110rr filter="src host 10.0.2.110 and tcp and synack and dst host 61.17.216.86 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11rrr # (e13) State:11r filter="src host 10.0.2.110 and tcp and synack and dst host 58.42.247.165 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11t # (e9) State:11r # (e9) State:110rr # (e9) State:11rs filter="src host 10.0.2.110 and tcp and synack and dst host 86.123.31.54 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:110r filter="src host 10.0.2.110 and tcp and synack and dst host 61.17.216.15 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r # (e9) State:11r # (e13) State:11rr filter="src host 10.0.2.110 and tcp and synack and dst host 200.171.4.222 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11rr # (e13) State:11rr0r filter="src host 10.0.2.110 and tcp and synack and dst host 218.189.208.34 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 217.34.4.226 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e2) State:11r # (e9) State:11r # (e13) State:110rr filter="src host 10.0.2.110 and tcp and synack and dst host 217.34.4.225 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11rr filter="src host 10.0.2.110 and tcp and synack and dst host 184.106.213.57 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 115.85.238.119 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 89.103.213.96 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 81.10.0.18 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r # (e9) State:320rt filter="src host 10.0.2.110 and tcp and synack and dst host 61.177.120.254 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r # (e9) State:11rr filter="src host 10.0.2.110 and tcp and synack and dst host 61.17.216.94 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r filter="src host 10.0.2.110 and tcp and synack and dst host 61.17.216.92 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e1) State:88yyy # (e2) State:11r # (e9) State:11rr filter="src host 10.0.2.110 and tcp and synack and dst host 61.17.216.4 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e13) State:11r filter="src host 10.0.2.110 and tcp and synack and dst host 61.17.216.25 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r filter="src host 10.0.2.110 and tcp and synack and dst host 61.17.216.22 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e1) State:88yzy # (e9) State:11t # (e13) State:11ss filter="src host 10.0.2.110 and tcp and synack and dst host 61.167.116.133 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e1) State:880y0y # (e9) State:22tr filter="src host 10.0.2.110 and tcp and synack and dst host 61.150.114.216 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 60.173.109.42 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 58.42.247.143 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e2) State:11r filter="src host 10.0.2.110 and tcp and synack and dst host 58.215.78.1 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 61.177.120.254 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 86.123.31.54 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 221.207.141.60 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:22rr # (e12) State:11rr # (e13) State:31rr filter="src host 10.0.2.110 and tcp and synack and dst host 219.232.102.130 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r filter="src host 10.0.2.110 and tcp and synack and dst host 219.145.198.122 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 60.173.109.42 and dst port 6667" label="From-Botnet-V31-1-TCP-CC1-HTTP-Not-Encrypted" ################### 6667 filter="src host 10.0.2.110 and tcp and synack and dst host 208.110.80.34 and dst port 443" label="From-Botnet-V31-1-TCP-CC13-Custom-Encryption" # (e5) State:22rBACrtrtstr # (e9) State:17xggAaaAaAacrrAaCtasCrsAAaAcstAsAraCrraartrtrrtsszrrrt # (e9) State:31rrrrrrrrzrrrtrtrrtrrstrrrtrstttrrrtrrtrrszzrrrz # (e9) State:11rctararrtrtrtssrttrrtrtstrrraAbCrrrtsrsrttrrCrtrraarrriziztztzz # (e9) State:33rrrrrrrtsrrrrrrrrtttrrrtrrrrrrtrrrrrrtszzzzzzzssttAsrAbrBCtssAArbAAaabBAtaaAaBttasrraabAAaAAAraBrraaacrraBrttArCtrsAAbsaABrAcrsBrrABbbbaAabABrt # (e9) State:11rAaaaaaActsCrrcstsrBCrrCsrtrrBaBCrrCrrrtrtrrssAAcstrztstz # (e9) State:11rCrrcacstrraaAracrrBsBbaAaarCrraaAAAAaACttrssaCsrAaaaCtcaractrsrrBBAABcrrrraCtIrstz # (e9) State:33trrrtrstttrrrssrrtsrrtrtrrrrrrtrrtrtrsrsrsAAaBBACzzrztyz # (e9) State:13yrAtrxx0z # (e9) State:17rstzr # (e9) State:18ttgtttCarcrrCrrAaAAAaaCrtrrACrrrsCrzzIIsszz # (e13) State:18rbrrrrzxxyryrraAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa # Weird... is it good? Does not seem so... # NOT GOOD filter="src host 10.0.2.110 and tcp and synack and dst host 91.220.0.52 and dst port 80" label="From-Botnet-V31-1-TCP-CC12-HTTP-Not-Encrypted" filter="src host 10.0.2.110 and tcp and synack and dst host 74.3.164.222 and dst port 443" label="From-Botnet-V31-1-TCP-CC7-Custom-Encryption" # (e1) State:88hhhyyhhh # (e2) State:11raArrrAA # (e9) State:11rABrrrrrrrrr # (e9) State:11rrrrArrrrrrr # (e9) State:11rrrasrrrAAAA # (e9) State:11rrrrrrrrArrr # (e9) State:11rArrrssraArr # (e9) State:11ArrrrrrrArrr # (e9) State:11rrrrrrrrAArr # (e9) State:11rrrArrrrAArr # (e9) State:11rrrrrrrrAArr # (e13) State:120tttCtCCtttCttt0rrrrrrAAAA0rr0rr # GOOD filter="src host 10.0.2.110 and tcp and synack and dst host 60.190.223.75 and dst port 888" label="From-Botnet-V31-1-TCP-CC6-Plain-HTTP-Encrypted-Data" # (e5) State:41rrrAr # (e9) State:41rrrrrrr # (e9) State:41rrrrrrr # (e9) State:41rrrrrrr # (e9) State:41rrrArrr # (e9) State:41rrrrrrr # (e9) State:41rrrrrrr # (e9) State:41rrrrrrA # (e9) State:41rrrrrrr # (e9) State:41rrrrrrA # (e9) State:41rrrrrrr # (e13) State:41rrrrr0uu0u0Drr0u0d # GOOD filter="src host 10.0.2.110 and tcp and synack and dst host 94.63.150.63 and dst port 80" label="From-Botnet-V31-1-TCP-CC5-Plain-HTTP-Encrypted-Data" # END CC # ########## # (e9) State:990f # (e9) State:990f # (e9) State:990c # (e9) State:990i # (e9) State:990i # (e9) State:990c # (e9) State:990f # (e9) State:990f # (e9) State:990c # (e9) State:990f filter="src host 10.0.2.110 and udp and con and dst host 188.72.241.107 and dst port 3524" label="From-Botnet-V31-1-UDP-Custom-Encryption-1" # (e9) State:33tttzttttwuvFCfffEwvzwwzHIFiIHIiiIIIIzttFvwEfFFEEfFwffffEwwswfwvaGDDhhbgdhhizziIzIIHIwvwfEuDddddidaadddddgdgiddgdgggdgggggdgggigggggiigihhhhhhfzzwiztzItwsyFfCffwsiefzffihIFIhIIzIIzziiccwzwwfefbewwEwfEbufzFzfFFBIzzzwzzhcvtwziztyyiIyzIIItwwweeEwwvcfiFwIIzfIIziizzizyzCtzwztvvfwffwwifffEzfhzwIBytFwzztzzzICzwyztvHhiiIiIIHHIzieyyIzIihICwzEwwtwCzttwttwwFEwfvEFFtEcFeFwBFeffbdbfwbfbFvftCfewsswefffAEEFBCFeBfwzzwiwwwiffwseedCwFifedufrufuGdhFIiFiFFEIvzrvIFzzzIbibiEIiihhHhehIIIIziiiIzFewwfEffvwEFwFcfFHCtwvEffsradddddhhhdhhchHyHiHhHiituvddddddddddedddgddddddgadgddgdddGgddgddggggGdgdggggdggghggGGggghgghGCyDHzbezIziziCzCcwvvFFfFuvFzuuadddddddgiFwEtzceIIhzzEyyIIzfGt filter="src host 10.0.2.110 and tcp and synack and dst host 212.117.177.186 and dst port 65500" label="From-Botnet-V31-1-TCP-Not-Encrypted-SMTP-Private-Proxy-6" # (e9) State:33CctttwwwFFFwwFwIFfIIFEcEdGdheifzwywiFifiFIiiihvtiiIIiIIiIiiiCIzwvwFFeFEfffFvEFvEfeiFwFfFCIFibiIdvEIvyDeIsyditiIiIziyzfuvwEDvFwFFcfcEEwtEbeFrsfzzizIiHyhhittwrwdddeeCcfFffFiiiifBHIiIzziiIzIwwwfwwtwwzEHCFvzihiiwIhzzzfiIzzIzIICtwwveFwwfffFvwEFfwECstfCzFwczIzwzIwzwIFiwztwtzcIiIiCizzzzztttwtFwFttwtwwwftczzFwwwFffttitttwCtwfCwwFFwFtcttttwwFtwwtzwwtwIzzwzfFwwCwcCtCwttttttsCtwtwwftttIwztwwziIFiztwtwwwwtCwwtFFFftCwwwftwt # (e9) State:33ctCcttCzztwwwfwfCcttttzttwttwwwtFwtczwzICcwtwzzzzzItzFttwwwwfwCtttzwtwFwwFCCCtttttwwwtCtztttzzwwtwwtczztwwwwwztzttwtwFwttwtztwftwfFFftttttttzt filter="src host 10.0.2.110 and tcp and synack and dst host 50.7.244.234 and dst port 65500" label="From-Botnet-V31-1-TCP-Not-Encrypted-SMTP-Private-Proxy-5" # (e9) State:12bAssCwtiwwwfFwfffIFfIHIfzzIHrrgeHdHDIwexDgadgDGddfizwfizzIizzIIIiitvItvvfwwtufwCFFfEFiifffhHIIziiiiIcvcvzHyhctzvwvwvwEFeffwweFcsFBcEwzwFeFwEEhFvzIiFzyziCfCsuzziiciIzzzzwrueFwwefeehFvIiHFHIHiiizizzcziwwwwFvwfeewywwIiiFIIfbEefFfwwwfEyFvzzIvzHIIiIIzizIczztwwwffeFFwwIibeFIzzIfHIIzywCvzIzIyzzctwtvDvwFCfwwIwwCcIwzwwtwwtttwttwtCttwwwwwIcctwwwwwftwttttwzwItzIcCzwcwtiIFtzwwwwCFCFfwwwwtwftztwwwwwcfccwFccttttCwwwftttttcwtzwtfCwctwtwFftwwttwwwffFttzzzzFCwifcwzwttwttwwwwFwwta filter="src host 10.0.2.110 and tcp and synack and dst host 89.149.217.37 and dst port 65500" label="From-Botnet-V31-1-TCP-Not-Encrypted-SMTP-Private-Proxy-4" # (e9) State:92vcvtwvwwwzFCwEwfwIiwFzzzzIizzzIiCtttzttzwwfffcFeEdGddghgitvzfzBwiFieIvzEdxdgbzeifiwywFBzzBHFIiyyIzIzIiIwwwEvfwwwFIfwtIiyIfihyhhhizIzicttwwvvFwFfFFzbwwzzvyIzziIyIIiIIcwwvfDwwffFrdddeddghdgddiwzFizIiiCIfIbFHwiIzwzCisiwwwwwwwzFtItzIIizztwffwwFCFFtIztwwwtzttzwwzwcwttCwFwwFFwtwtszitztzwIwwwcwtzztcFffFtwwFcczCwCwwwwwFFtfzwzttwwwFFtcFfwFwctttzFtwtFFwwwzcfttzttwwwFfwwCFttwwFFfCtwwwwwtttwwt # (e9) State:31vwArcttttzttttwwwwwewEfeiFtviIywzzzzziIhzzzztttttwwvdvEFwffIFFHzzfIEIcwzwzfIfifFFifieiHhihFwIHzIiiIziwiiIyxHhyyhdgDgddddaeFFIwfIIcECtwzICccwtwzzciffzwiftwCwCcIttwctttczzzIzfwwwffCcffctzztItiCitwtwwztwtzFwtCwwzfFwttwFtIwwtIFwtwtiFitICztttwzwztwttzwztffttwzwwwfcwFwczcizttwwwFtcfwfwfzCctztwwwtitwwtwfwFtCzcwztwtzIFIzzzzzzzzzFzwwzwwwzt # (this looks good but gave FP! I will delete it, but has to be analyzed...) filter="src host 10.0.2.110 and tcp and synack and dst host 212.117.161.86 and dst port 65500" label="From-Botnet-V31-1-TCP-Not-Encrypted-SMTP-Private-Proxy-3" # (e9) State:12aAIAbtwtttcttwwvFFfbuddddfCwvffffIiicfFEEhyHGHyivEiHIIIIIihzzzIiIIyziIiIIwttwvwEueddeDFdfvwzvfFBfEwvwtwCzeduhbIFFziiziIHDGGizziHGyhhhhizCwvwFfEEFFfeefEFFveDDddaadddddddddggddddefzwigyIbwIHwHHIhIzbiBhgHIIiihIIiIiIwwvvwedvvFCewbFEvDdeeIEfEuGeGwzIIfIfIiziiiizizIIcwwvwweeiDeFwwewwFffieFHwwIFIIhGDggdgghghgizzIIHzbIIzhzIiztzztzztwtwzttwtwtwtztvwefEwtwfEvFDIwEFFIfIHCwzzcICzcItztIczttIwztcffwtfFtwFwICCwwctwwwFwwtBsCzwtttfwFwtCtfwtwICcczwwtIFFwCCztzctwwzwwzfCftFwFtftzwwwFwzwtFzszcCttwztwwwzttwtwwwwfwwtstwwttwFwffcwCFtwtCtt filter="src host 10.0.2.110 and tcp and synack and dst host 212.117.177.188 and dst port 65500" label="From-Botnet-V31-1-TCP-Not-Encrypted-SMTP-Private-Proxy-2" # (e1) State:96iIIiFfiiIiiIIIfiIIIiiiiiiiiIfIiIIIiiiiIFiFIiwzwwzzIIiF0wzwzzfi0wwwwwzFzwFw0wwwwfiiw0wwzwww0wwwwwfwww0wwzwiwwwziwzwF0wwwfwwwwwwwwzzwzziifiiiiifdffwwz0wzwiidfFIFFdiDFIIwzziiiiwwzfwwweiFFwwFFwwFEfi0wwwwFfww0wwzIfifei0ww0wwzeifeewwFFwwwwvziifffifefIFiifiiffffFFFIiIiiiiiiiiiiiIIIIIiiiiiiiiiiiiiiiiiiiiiiiiiifhiiiiiiiIIiFfFeFfFFFFFfFff # (e2) State:11AaaDBAAaabuAabCzzttwtztwttztztwtCtttwt0twzzzttzttttztttzzt0tztzzz0ttzzztzzttztztzFICwwttzzz0tttztsztrt0tt0ttttettAC0ttttt0tttt0ttt0tt0ttrstCtttstzzcztztctsttstttwwtBrzBsCsrttrvaaztsctwszvzfrttrttczttrsBtwt # (e5) State:64udddddddhedhdHhEdhhiaIHhHHbHHihhFwiwuwvtrzryfwubivwtsucivwwztwwfcfIcczECCftzewvwsBAxHvscIgvEgdDcddddddddddhgdddhgaHHighEhhhHHhHIhhHhDHgeeaeiebhahBCyyADeDDeHHiEeehBAIicruhadhftwttr # (e9) State:52cttttwwzwwwzticItztttCttttztzzttttwtFwwtCtzttztzztzzztcFwtztzwwwFwztzwwzffftCIwtwcwtwIwwtttwtwwwwtwzIztIwiItzztIwIzzztFFiItiwzizztIFicztIItzIzzzttzwtzwwFwwCitwwwfFwwwwfCiwfzzzFzzztIzIIIIzzfwFwwFwtatztwtffvFzwtFtwCztwtFFfwwFCFwrtctFwwbtzthwfwwwwcwwwcFwwffFttwwwwfFCFFwzwzwziizzIzIzItzzyzyztt # (e13) State:23tctzwFwwwtzffewtizzCtzIICwzwCiftFtzttztzwtwwwtwtttttFwwwwwwwFwifwIziczwzzzIICIIiiIIwttyCwttffFFttwIytwFztycfftwwwCwIwwytwigztttwyzwtttCwvwtwwfcCFsttzztwttztwtItttwzwwwtttiwttttwFwvwzffFFfIffiztIfIzzzIIzwIwzfwwwFiwwwbtfswszztzwcwtzCttwwzsttwzuwFzzzIzFyztztwwwfffFIFzwwzzzzIiwzzzwwzwzwywzvzwICzztwvwvwFwwFfiffiIFwzztzzztIIIzzzzzwwwwFwwtzcwzftwzCwFzwwwwwwwwwwCIFwIzwztzzzzzzzzzzztwtwwwwwwFffffcwfzwfIzffFiiiizzwzziFIztttwtwwwwtttwtttttzttttttttttwctczwwzIciCzzzwtIwItwwwwwwwFwftFCFfwFzyftwfcItIwwffFzttzFIwwttztztwwytwIFfiewwcwzetwFIezwAyrEtFxzyszzxywAIIztzwtFCfCcwwFwwwwCwtwwwFiItfFwzzCizzzittttttztwwttttttwuvdDeddddDaedDDdbdddgahededddhehehhhhbGhEAdehEhhhhhhbdCzt filter="src host 10.0.2.110 and tcp and synack and dst host 212.117.171.138 and dst port 65500" label="From-Botnet-V31-1-TCP-Not-Encrypted-SMTP-Private-Proxy-1" # (e13) State:990s filter="src host 10.0.2.110 and tcp and synack and dst host 74.3.164.222 and dst port 443" label="From-Botnet-V31-1-TCP-Established-Custom-Encryption-8" filter="src host 10.0.2.110 and tcp and synack and dst host 74.3.164.224 and dst port 443" label="From-Botnet-V31-1-TCP-Established-Custom-Encryption-8" # (e9) State:660t # (e9) State:11AaaaaactarAF0w0t # (e9) State:11aAAcrtw0w0w filter="src host 10.0.2.110 and tcp and synack and dst host 204.12.208.59 and dst port 443" label="From-Botnet-V31-1-TCP-Established-Custom-Encryption-7" # (e2) State:190z0z filter="src host 10.0.2.110 and tcp and synack and dst host 184.154.89.154 and dst port 8735" label="From-Botnet-V31-1-TCP-Established-Custom-Encryption-6" # (e2) State:11ai0z0i filter="src host 10.0.2.110 and tcp and synack and dst host 173.236.31.226 and dst port 7212" label="From-Botnet-V31-1-TCP-Established-Custom-Encryption-5" # (e2) State:660f0c # (e9) State:660c # (e9) State:660C # (e9) State:660c filter="src host 10.0.2.110 and tcp and synack and dst host 83.133.119.197 and dst port 65520" label="From-Botnet-V31-1-TCP-Established-Custom-Encryption-4" # (e1) State:990iz0z filter="src host 10.0.2.110 and tcp and synack and dst host 78.129.227.128 and dst port 5231" label="From-Botnet-V31-1-TCP-Established-Custom-Encryption-3" filter="src host 10.0.2.110 and tcp and synack and dst host 78.129.163.119 and dst port 6251" label="From-Botnet-V31-1-TCP-Established-Custom-Encryption-2" # TCP Actions. Same state, same label filter="src host 10.0.2.110 and tcp and synack and dst host 65.55.72.7 and dst port 443" label="From-Botnet-V31-1-TCP-Established-Custom-Encryption-1" # UDP Actions. Same state, same label filter="src host 10.0.2.110 and udp and con and dst host 222.160.227.154 and dst port 32234" label="From-Botnet-V31-1-UDP-Established-P2P-Not-Encrypted-1" filter="src host 10.0.2.110 and udp and con and dst host 219.133.60.36 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.110 and udp and con and dst host 58.60.14.37 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.110 and udp and con and dst host 219.133.49.171 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.110 and udp and con and dst host 58.60.15.39 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.110 and udp and con and dst host 112.90.138.160 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.16.12 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.16.244 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.16.10 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.49.126 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 112.90.86.181 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.48.105 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.49.31 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.49.123 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 119.147.45.89 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 112.90.86.183 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 119.147.45.15 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.49.124 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.48.104 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.16.16 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.49.30 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.16.17 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 112.90.86.182 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.49.33 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 112.95.240.134 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 112.90.86.184 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.48.101 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 112.95.240.74 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 119.147.45.254 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 119.147.45.251 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.48.103 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 183.60.16.15 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.110 and udp and con and dst host 119.147.45.253 and dst port 8000" label="From-Botnet-V31-1-UDP-Established-Custom-Encryption-1" # From Botnet to Google filter="src host 10.0.2.110 and tcp and synack and dst net 195.113.214.0/24 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Google-Net-Established-1" filter="src host 10.0.2.110 and tcp and synack and dst net 209.85.148.0/24 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Google-Net-Established-2" filter="src host 10.0.2.110 and tcp and synack and dst net 173.194.112.0/24 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Google-Net-Established-3" filter="src host 10.0.2.110 and tcp and synack and dst net 173.194.113.0/24 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Google-Net-Established-4" filter="src host 10.0.2.110 and tcp and synack and dst net 173.194.114.0/24 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Google-Net-Established-5" filter="src host 10.0.2.110 and tcp and synack and dst net 74.125.0.0/16 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Google-Net-Established-6" filter="src host 10.0.2.110 and tcp and synack and dst net 209.85.149.0/24 and dst port 80" label="From-Botnet-V31-1-TCP-HTTP-Google-Net-Established-7" # From botnet to Java update filter="src host 10.0.2.110 and tcp and synack and dst host 72.5.123.29 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Java-1" # From botnet to Adobe update filter="src host 10.0.2.110 and tcp and synack and dst host 66.235.128.158 and dst port 443" label="From-Botnet-V31-1-TCP-Established-HTTP-SSL-Adobe-5" filter="src host 10.0.2.110 and tcp and synack and dst host 195.113.232.91 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Adobe-4" filter="src host 10.0.2.110 and tcp and synack and dst host 193.45.10.152 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Adobe-3" filter="src host 10.0.2.110 and tcp and synack and dst host 193.45.10.168 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Adobe-2" filter="src host 10.0.2.110 and tcp and synack and dst host 217.212.238.64 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-Adobe-1" # From botnet to AVG filter="src host 10.0.2.110 and tcp and synack and dst host 66.235.133.14 and dst port 80" label="From-Botnet-V31-1-TCP-Established-To-AVG-1" # From botnet to Microsoft filter="src host 10.0.2.110 and tcp and synack and dst host 64.4.56.87 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-To-Microsoft-Live-3" filter="src host 10.0.2.110 and tcp and synack and dst host 65.54.234.75 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-To-Microsoft-Live-2" filter="src host 10.0.2.110 and tcp and synack and dst host 94.245.116.9 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-To-Microsoft-Live-1" filter="src host 10.0.2.110 and tcp and synack and dst host 64.4.56.103 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-To-Microsoft-7" filter="src host 10.0.2.110 and tcp and synack and dst host 64.4.2.109 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-To-Microsoft-6" filter="src host 10.0.2.110 and tcp and synack and dst host 64.4.56.23 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-To-Microsoft-5" filter="src host 10.0.2.110 and tcp and synack and dst host 65.55.75.231 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-To-Microsoft-4" filter="src host 10.0.2.110 and tcp and synack and dst host 65.55.72.7 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-To-Microsoft-3" filter="src host 10.0.2.110 and tcp and synack and dst host 64.4.52.169 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-To-Microsoft-2" filter="src host 10.0.2.110 and tcp and synack and dst host 65.55.13.243 and dst port 80" label="From-Botnet-V31-1-TCP-Established-HTTP-To-Microsoft-1" filter="src host 10.0.2.110 and tcp and synack and dst host 65.54.186.10 and dst port 443" label="From-Botnet-V31-1-TCP-Established-SSL-To-Microsoft-7" filter="src host 10.0.2.110 and tcp and synack and dst host 65.55.40.23 and dst port 443" label="From-Botnet-V31-1-TCP-Established-SSL-To-Microsoft-6" filter="src host 10.0.2.110 and tcp and synack and dst host 65.54.234.78 and dst port 443" label="From-Botnet-V31-1-TCP-Established-SSL-To-Microsoft-5" filter="src host 10.0.2.110 and tcp and synack and dst host 65.55.16.187 and dst port 443" label="From-Botnet-V31-1-TCP-Established-SSL-To-Microsoft-4" filter="src host 10.0.2.110 and tcp and synack and dst host 65.54.234.24 and dst port 443" label="From-Botnet-V31-1-TCP-Established-SSL-To-Microsoft-3" filter="src host 10.0.2.110 and tcp and synack and dst host 65.55.40.215 and dst port 443" label="From-Botnet-V31-1-TCP-Established-SSL-To-Microsoft-2" filter="src host 10.0.2.110 and tcp and synack and dst host 157.55.0.135 and dst port 443" label="From-Botnet-V31-1-TCP-Established-SSL-To-Microsoft-1" ######################### # Generic for this Botnet # Netbios requests from botnet in the lan filter="src host 10.0.2.110 and udp and not con and dst port 137" label="From-Botnet-V31-1-UDP-Attempt-NetBIOS" # States are too different... maybe can be splited... filter="src host 10.0.2.110 and tcp and synack and dst port 80" label="From-Botnet-V31-1-TCP-WEB-Established" filter="src host 10.0.2.110 and tcp and synack and dst port 443" label="From-Botnet-V31-1-TCP-WEB-Established-SSL" filter="src host 10.0.2.110 and tcp and synack and dst port 25" label="From-Botnet-V31-1-TCP-Established-SPAM" filter="src host 10.0.2.110 and tcp and synack and dst port 587" label="From-Botnet-V31-1-TCP-Established-SPAM" filter="src host 10.0.2.110 and tcp and syn and dst port 25" label="From-Botnet-V31-1-TCP-Attempt-SPAM" filter="src host 10.0.2.110 and tcp and syn and dst port 587" label="From-Botnet-V31-1-TCP-Attempt-SPAM" filter="src host 10.0.2.110 and tcp and synack" label="From-Botnet-V31-1-TCP-Established" filter="src host 10.0.2.110 and tcp and syn" label="From-Botnet-V31-1-TCP-Attempt" filter="src host 10.0.2.110 and udp and con and dst port 53" label="From-Botnet-V31-1-UDP-DNS" filter="src host 10.0.2.110 and udp and not con and dst port 53" label="From-Botnet-V31-1-UDP-Attempt-DNS" filter="src host 10.0.2.110 and udp and not con" label="From-Botnet-V31-1-UDP-Attempt" filter="src host 10.0.2.110 and udp and con" label="From-Botnet-V31-1-UDP-Established" # ARP filter="src host 10.0.2.110 and arp" label="From-Botnet-V31-1-ARP" # Botnet labels # 10.0.2.107 # (e9) State:33t filter="src host 10.0.2.107 and tcp and synack and dst host 82.128.83.29 and dst port 6667" label="From-Botnet-V31-2-TCP-HTTP-Not-Encrypted-Down-3" # (e9) State:31r0t # (e9) State:31rt filter="src host 10.0.2.107 and tcp and synack and dst host 211.157.110.34 and dst port 6667" label="From-Botnet-V31-2-TCP-HTTP-Not-Encrypted-Down-2" # (e9) State:110r # (e9) State:13t filter="src host 10.0.2.107 and tcp and synack and dst host 66.18.85.2 and dst port 6667" label="From-Botnet-V31-2-TCP-HTTP-Not-Encrypted-Down-1" # (e2) State:33ctttctttttttstcccccaccccccccccccccccccccacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCttttcCBccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccacccccccccctCCsBaaaccccccccccccccccccccccccccccccccccccccccccccccccccaccccccccccccccccccccttcCctcccccccccccccccccccccaccccccccccccccccccccccccacacccccttttcccccccccccccccccccccccccccccccccccccbcccccccccccccccccccccccccccccccccccccaccccccccccccccccccccccccctCtscccbccccccccccccccccccccccccccccccccaccccccccccccccccccccccccccccccccacaccaacccccccccccccCstccaccccbcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCccttcccACcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctsccccccccccccccccccbccccccccccccccccccccacccccccccccccccCcCcttaaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccacccccccccctCcCcttcccccccccccccccccccccccccccccccccbcccccccccccccccccccccccccccccccccccccccccCcCcttcccccccccccccccccccccccbccccccccccccccccccccccccccccccccccccccccccccttccCCtcccbcccccccccccccccccccccccccccccccacccccccccccccccccccCctctCccccccccccccccccccccccccccccccccccccccccccccccccccccccCcCcttCcccccccccccccccccccccccccccbccccccccccccccccccccccccccccccccccccttttttttttttattttttttctCttttttttttttctttrtttBCtttttttctttratttrrtttttttttttCttCttttsrtstrrrrrrarrArrrrrrrrrrrrasBrrrrrrrrArrrrrrrrrrarrrrrrrrrrrrrrara filter="src host 10.0.2.107 and tcp and synack and dst host 72.20.15.61 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Persistent-Down-1" # (e2) State:33ttttttCtttttCrraaaaaacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttrrccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttcrrAAaaaaaaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctrraacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCccccctCrraaaaaaccaacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCtcCrracccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctrraaaaaaacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttctCCCccccccccccccccccccccccccccccccccccccccccccccccccCcCaraacacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCcCcCCCcCCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCttCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCcCcCcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttCcccCCCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCccCccccCCCCcccccccccccccccccccccccccccccccccccccccccccccccccccccCcCcCccccccCCCcccccccccccccccccccccccccccccccccccccccccccccccccccCcccccccttccccccccccccccccccccccccccccccccccccccccccccccccccccrrrrrrrrrrrrrrrrrrrrrrarrrarrrrrrrAArrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrArrrrrrrrrrrrrrrrrrrrrrrraArrrrrrrrrraarrrrrrrrrrrrrAArrrrrrrArarrr filter="src host 10.0.2.107 and tcp and synack and dst host 193.23.181.44 and dst port 179" label="From-Botnet-V31-2-TCP-HTTP-Persistent-Down-1" # (e2) State:33ttttctcctttttrraaaaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttCAraaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCttrrcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctAraaaaaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCArAacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccctAraaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccrraaacccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCCCccccCCtccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCrraaaccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCccccttccCCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCttCCCCccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccttcCCttcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCcCcttccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCttccccccccccccccccccccccccccccccccccccccccccccccccccccccccCcCCttCccccccccccccccccccccccccccccccccccccccccccccctccCtcccccccccccccccccccccccccccccccccccccccccccccccccccccccrrrrrrrrAarrrAarrrrrrrrArrrrrrrrrrrrrrrrrrrrrrrrrrrrrararrrrrrrrrrrrrarrrrrrrrrrrrrrrarrrrrrrrrrArrrrrrrrrrrrraArrrrrrrarrArrrrrrrrrrrrrrrrrrrAarrrrrrrrrarrraarrrr filter="src host 10.0.2.107 and tcp and synack and dst host 193.23.181.44 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Persistent-Down-1" # (e2) State:33cccctttcttttctttcttcttttttttttttttcttccccccccccccccccccccccccccccccccacccccccccccccccccccccccccaaaacccccccaacccccccccccccaacttcccttCcccccccccccccccccccccccccccccccccccaaaacccccccccccccccccccccccccccccccccccccccccccccccccccccccttcCtttccCccccccccccccccccaccccccccccccccccccccccccccccccccccccccccccccccccccccccccaccCCtttcCcccccccccccccccccaccccccccccccccccccccccccccccccacccccccccccccccccccccCtttcaccccccccccccccccccccccccccccacccccccccccccccccccccccccccccccccccccccccccccccccccctttCttcccccccccccccccccccccccccccccccbbbcccccccccccccccccccccccbbbccccccccccccccccCcccCcccccccccccccccccccccacccaacccccccccccccccccccccccccccaccccccccccccccccccccccccccccCCcCtccccccccccccccccccccccccccccccccccccccccccccccccccccaccccccccccccccccccccccccccccccCcttcccccCccccccccccccccccccccccccccccccccccccacccccccccccacccaccttCCtCcccccccccccccccccccccccbbbbcccccccccccccccccccccccacccccccccccccccccccccccccccccccttccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccaacccccCCcccccCcccccccccccccccccccccbbcccccccccccccccccaaaacccccccccccccccccccccccccccccccccccccCCccCCttcccccccccccccaccccccccccccccccccccccccccccccccccccccccaacccccccCCccttccccccccccccccccccccccccccccccccccccccccccccccccccccctcctccccccccccccccccccccccccccccccccccccccccccccccccccccccccccCCcccccCctccccccccccccccccccccccccccccccccccaaccccccccccccccacccccttttttttcCttttttcttrttttrcttttctttrCttcttAttttttrtrttttcttttcCttCtctttCrttttttttttttcttttttccAttrtcCttArArtrarrrrAarrrrrrrrrrrssArrrArarrarArrrrrrrraArrararrArrrrrArrrrrrArrrrrrrrrAr filter="src host 10.0.2.107 and tcp and synack and dst host 174.37.196.55 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Persistent-Down-1" # (e2) State:33cctttttCtttttttttttttttttCcttatccaaaaccbcccccccccccccccccccaaaacccccccccccaccccccccccccccccaaaccccccccccccccccCttacccaaccccccccccccccccccccccccccccccccccccacccccccccccccccccccccccccccccccccccccccttttccccccccaccaccccccccccccccccccccccccccccccccccccccccccacccccccccccccccccccccccccccccccCCtttctrcccaccaccccccccccccccccccccccccccccccccccccccccccccccccccccccacccccccccccccccccccccccccccccccccccccccccttattccccacacaacccbccccccccccccccccccccccccccccccccccccccccccccabcccccccccbcacccccccccccccccccacccCCrtAaabbbccccccccccccccccccccccccccccccbccaaacacccccccccccccccccccccccccccccaaaaccccccttcccttccccccccccccccaacaacccccccccccccccccccccccccccccccacccccccccccccccccccaaacacccbcccttcAAtcccccccaabcccccccccccccccccccccccccccccacaabacccccccccccccccccaaccccccccacaccttccccccccbccccccccccccccccccaccccccccccccccccccccccccccccccccccccccttcccccccbccccccccccccccccccccccccccccccccccccccccccbcacccccccccttccttccccbcccacccccccccccccccabccccccccccccccccccccccccccccccCabArtcCCabcbccccccccccccccccccbacccccccccccccccccccbccaccccccccccccccctscCcBtaaaCccbcccccccccccccccccccccaccccccccccccccccccacccccccccccccCtccttBCcccccccccccccccccccccccaccccccccccccccccccaacccccccccAtccaattcabacbccccccccccccccccccccccccbaccacccccccccccccccccaccccccctCtccccaccccbcccccccccccccccccccccccccccbccccccccccttrsarttrtstttrttrtbtCasttstCastttrtsstttCttCtrccrCttttttCtttstrttrCCtttcttttttrtttttctttttcttttttttttcrrtttccrttrttttttttttCtttttttttttttttcttttrrrrtrrtttstArtrtttttttt filter="src host 10.0.2.107 and tcp and synack and dst host 174.128.246.102 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Persistent-Down-1" # Seems to be a CC, but we can not be sure because the connection is DOWN and not answering. So it is more like a down connection with automatic retrying. # (e7) State:99ciiiiizziiittcccc filter="src host 10.0.2.107 and tcp and synack and dst host 174.128.246.102 and dst port 80" label="From-Botnet-V31-2-TCP-Persistent-Down-2" # ICMP filter="src host 10.0.2.107 and icmp" label="From-Botnet-V31-2-ICMP" filter="src host 10.0.2.107 and tcp and dst host 83.93.14.138 and dst port 9931" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 71.10.54.162 and dst port 3760" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 14.37.114.237 and dst port 3088" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 41.32.182.114 and dst port 8340" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 184.182.240.239 and dst port 7058" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 94.240.219.11 and dst port 9035" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 176.73.204.12 and dst port 8437" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 74.65.6.17 and dst port 2418" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 176.73.211.244 and dst port 8034" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 94.251.184.74 and dst port 9386" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 82.211.142.218 and dst port 9811" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 190.55.44.98 and dst port 5186" label="From-Botnet-V31-2-TCP-Custom-Encryption-1" filter="src host 10.0.2.107 and tcp and dst host 69.115.119.227 and dst port 1106" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 174.76.94.24 and dst port 2458" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 36.238.35.80 and dst port 2708" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 208.105.172.66 and dst port 2747" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 88.247.80.140 and dst port 1335" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 201.255.94.8 and dst port 4423" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 151.233.138.31 and dst port 9338" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 24.107.136.226 and dst port 5630" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 71.205.243.23 and dst port 1604" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 88.203.75.4 and dst port 3532" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 99.157.164.179 and dst port 3409" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 91.236.245.22 and dst port 5326" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 75.99.113.250 and dst port 4891" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 67.209.198.223 and dst port 5901" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 83.217.187.33 and dst port 2440" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 88.130.164.213 and dst port 9291" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 75.11.171.237 and dst port 6259" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 92.4.140.211 and dst port 6775" label="From-Botnet-V31-2-TCP-Custom-Encryption-2" filter="src host 10.0.2.107 and tcp and dst host 5.178.178.199 and dst port 4758" label="From-Botnet-V31-2-TCP-Custom-Encryption-3" filter="src host 10.0.2.107 and tcp and dst host 213.219.135.107 and dst port 1435" label="From-Botnet-V31-2-TCP-Custom-Encryption-4" filter="src host 10.0.2.107 and tcp and dst host 24.107.118.64 and dst port 1128" label="From-Botnet-V31-2-TCP-Custom-Encryption-4" filter="src host 10.0.2.107 and tcp and dst host 194.246.126.196 and dst port 7306" label="From-Botnet-V31-2-TCP-Custom-Encryption-4" filter="src host 10.0.2.107 and tcp and dst host 97.93.7.68 and dst port 1620" label="From-Botnet-V31-2-TCP-Custom-Encryption-4" filter="src host 10.0.2.107 and tcp and dst host 46.48.247.67 and dst port 29365" label="From-Botnet-V31-2-TCP-Custom-Encryption-5" filter="src host 10.0.2.107 and tcp and dst host 95.104.10.167 and dst port 7786" label="From-Botnet-V31-2-TCP-Custom-Encryption-5" filter="src host 10.0.2.107 and tcp and dst host 46.48.233.117 and dst port 22868" label="From-Botnet-V31-2-TCP-Custom-Encryption-5" filter="src host 10.0.2.107 and tcp and dst host 82.211.167.134 and dst port 4066" label="From-Botnet-V31-2-TCP-Custom-Encryption-6" filter="src host 10.0.2.107 and tcp and dst host 46.48.235.191 and dst port 11550" label="From-Botnet-V31-2-TCP-Custom-Encryption-7" filter="src host 10.0.2.107 and tcp and synack and dst host 218.29.42.137 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-12" filter="src host 10.0.2.107 and tcp and synack and dst host 222.73.45.106 and dst port 88" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-11" filter="src host 10.0.2.107 and tcp and synack and dst host 122.228.199.136 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-10" filter="src host 10.0.2.107 and tcp and synack and dst host 61.147.99.179 and dst port 81" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-9" filter="src host 10.0.2.107 and tcp and synack and dst host 61.160.209.212 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-8" filter="src host 10.0.2.107 and tcp and synack and dst host 60.190.223.75 and dst port 2012" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-Custom-Port-7" filter="src host 10.0.2.107 and tcp and synack and dst host 60.190.223.75 and dst port 2011" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-Custom-Port-6" filter="src host 10.0.2.107 and tcp and synack and dst host 60.190.223.75 and dst port 88" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-Custom-Port-5" filter="src host 10.0.2.107 and tcp and synack and dst host 122.224.6.164 and dst port 82" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-Custom-Port-4" filter="src host 10.0.2.107 and tcp and synack and dst host 195.88.191.59 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-3" filter="src host 10.0.2.107 and tcp and synack and dst host 91.228.230.31 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-2" filter="src host 10.0.2.107 and tcp and synack and dst host 94.63.149.152 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Binary-Download-1" # Advertisement # (e9) State:11raAA filter="src host 10.0.2.107 and tcp and synack and dst host 174.123.157.154 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-64" # (e1) State:99xgiiiggggigghgiIigiggiIighiggghggigigigighhgigigggigigggigighihiggiihgiggzzziiiigiihigiigiiiiIgighigiiiggiiyziggihgiiiiiigIggigiigiiigghggiigigiigigigghggigiigggggiggihighhhgigggiggizGIGGIGGGiGxIhII0zyxgGGGHGIGIIGHgIzxzgghgIFIhIIIGGHiIxxgHgGIgiiIIHHHGGiIHIghggGGHGiIhiIihigIIghhihiiiggiiiighihigiigiiiiiigigiiiigiiihiigiiiihihiiiiihiiihiihhxGhhIGIIIGi # (e2) State:11rAv filter="src host 10.0.2.107 and tcp and synack and dst host 174.133.57.141 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-63" filter="src host 10.0.2.107 and tcp and synack and dst host 195.113.232.90 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-62" filter="src host 10.0.2.107 and tcp and synack and dst host 74.125.232.218 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-61" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.179.212 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-60" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.185.212 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-59" filter="src host 10.0.2.107 and tcp and synack and dst host 74.117.116.66 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-58" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.179.213 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-57" filter="src host 10.0.2.107 and tcp and synack and dst host 74.117.116.94 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-56" filter="src host 10.0.2.107 and tcp and synack and dst host 195.113.232.82 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-55" filter="src host 10.0.2.107 and tcp and synack and dst host 69.64.147.243 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-54" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.185.207 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-53" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.185.206 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-52" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.185.214 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-51" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.179.210 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-50" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.185.215 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-49" filter="src host 10.0.2.107 and tcp and synack and dst host 195.113.232.81 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-48" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.185.205 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-47" filter="src host 10.0.2.107 and tcp and synack and dst host 94.63.150.52 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-46" filter="src host 10.0.2.107 and tcp and synack and dst host 217.163.21.37 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-45" filter="src host 10.0.2.107 and tcp and synack and dst host 74.125.232.217 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-44" filter="src host 10.0.2.107 and tcp and synack and dst host 173.241.240.4 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-43" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.179.209 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-42" filter="src host 10.0.2.107 and tcp and synack and dst host 217.163.21.36 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-41" filter="src host 10.0.2.107 and tcp and synack and dst host 195.113.232.98 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-40" filter="src host 10.0.2.107 and tcp and synack and dst host 92.240.244.181 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-39" filter="src host 10.0.2.107 and tcp and synack and dst host 184.82.147.252 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-38" filter="src host 10.0.2.107 and tcp and synack and dst host 195.113.232.83 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-37" filter="src host 10.0.2.107 and tcp and synack and dst host 70.32.97.26 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-36" filter="src host 10.0.2.107 and tcp and synack and dst host 184.82.155.108 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-35" filter="src host 10.0.2.107 and tcp and synack and dst host 217.163.21.34 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-34" filter="src host 10.0.2.107 and tcp and synack and dst host 217.163.21.40 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-33" filter="src host 10.0.2.107 and tcp and synack and dst host 195.113.232.96 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-32" filter="src host 10.0.2.107 and tcp and synack and dst host 184.82.148.44 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-31" filter="src host 10.0.2.107 and tcp and synack and dst host 64.236.79.229 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-30" filter="src host 10.0.2.107 and tcp and synack and dst host 93.184.220.20 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-29" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.185.210 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-28" filter="src host 10.0.2.107 and tcp and synack and dst host 217.110.110.231 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-27" filter="src host 10.0.2.107 and tcp and synack and dst host 184.82.148.44 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-26" filter="src host 10.0.2.107 and tcp and synack and dst host 217.163.21.38 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-25" filter="src host 10.0.2.107 and tcp and synack and dst host 67.201.31.224 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-24" filter="src host 10.0.2.107 and tcp and synack and dst host 87.248.203.254 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-23" filter="src host 10.0.2.107 and tcp and synack and dst host 50.23.235.4 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-22" filter="src host 10.0.2.107 and tcp and synack and dst host 174.36.246.56 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-21" filter="src host 10.0.2.107 and tcp and synack and dst host 67.214.158.5 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-20" filter="src host 10.0.2.107 and tcp and synack and dst host 64.38.232.180 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-19" filter="src host 10.0.2.107 and tcp and synack and dst host 50.22.198.84 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-18" filter="src host 10.0.2.107 and tcp and synack and dst host 74.117.116.77 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-17" filter="src host 10.0.2.107 and tcp and synack and dst host 94.127.76.180 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-16" filter="src host 10.0.2.107 and tcp and synack and dst host 208.73.210.29 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-15" filter="src host 10.0.2.107 and tcp and synack and dst host 95.172.94.64 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-13" filter="src host 10.0.2.107 and tcp and synack and dst host 217.163.21.41 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-12" filter="src host 10.0.2.107 and tcp and synack and dst host 87.248.203.253 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-11" filter="src host 10.0.2.107 and tcp and synack and dst host 77.238.167.32 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-10" filter="src host 10.0.2.107 and tcp and synack and dst host 195.113.232.88 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-yieldmanager-9" filter="src host 10.0.2.107 and tcp and synack and dst host 217.163.21.35 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-yieldmanager-8" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.185.209 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-7" filter="src host 10.0.2.107 and tcp and synack and dst host 68.67.185.217 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-6" filter="src host 10.0.2.107 and tcp and synack and dst host 69.16.175.10 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-5" filter="src host 10.0.2.107 and tcp and synack and dst host 195.113.232.73 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-4" filter="src host 10.0.2.107 and tcp and synack and dst host 195.113.232.97 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-3" filter="src host 10.0.2.107 and tcp and synack and dst host 209.190.94.170 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-2" filter="src host 10.0.2.107 and tcp and synack and dst host 98.126.71.122 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Ad-1" # CC # ###### # (e7) State:99ciiiiizziiittcccc filter="src host 10.0.2.107 and tcp and synack and dst host 123.126.51.33 and dst port 80" label="From-Botnet-V31-2-TCP-CC108-Plain-HTTP" # (e3) State:360t0t0c0c0c0f0f0t0t0c0c0c0c0c0c0f0t0t0c0c0c0c0c0c0c0c0c0w0F0w0t0t0f0c0c0c0c0c0f0c0c0c0c0c0c0c0c0c0c0c0i0w0w0w0w0w0w0w0w0w0w filter="src host 10.0.2.107 and tcp and synack and dst host 193.105.210.21 and dst port 999" label="From-Botnet-V31-2-TCP-CC107-Plain-HTTP-Encrypted-Data" # P2P CC of exp12. Really a small amount # (e12) State:13rww # (e12) State:11sr # (e12) State:11rr # (e12) State:11rr # (e12) State:12rr # NOT GOOD filter="src host 69.104.66.134 and udp and con and dst host 10.0.2.107 and dst port 31037" label="From-Botnet-V31-2-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 222.160.227.154 and udp and con and dst host 10.0.2.107 and dst port 32234" label="From-Botnet-V31-2-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 91.188.37.153 and udp and con and dst host 10.0.2.107 and dst port 32234" label="From-Botnet-V31-2-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 161.200.133.204 and udp and con and dst host 10.0.2.107 and dst port 32234" label="From-Botnet-V31-2-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 93.103.254.175 and udp and con and dst host 10.0.2.107 and dst port 29676" label="From-Botnet-V31-2-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 95.65.17.47 and udp and con and dst host 10.0.2.107 and dst port 32234" label="From-Botnet-V31-2-UDP-CC108-Established-P2P-Not-Encrypted-1" filter="src host 10.0.2.107 and udp and con and dst host 222.160.227.154 and dst port 32234" label="From-Botnet-V31-2-UDP-CC108-Established-P2P-Not-Encrypted-1" # Specific for exp3 only. The IRC was captured as comming from internet because the pcap was broken # (e3) State:30w0t0t0c0c0c0f0f0t0t0c0c0c0c0c0c0f0t0t0c0c0c0c0c0c0c0c0c0w0F0w0t0t0f0c0c0c0c0c0f0c0c0c0c0c0c0c0c0c0c0c0i0w0w0w0w0w0w0w0w0w0w filter="src host 38.229.70.20 and tcp and dst host 10.0.2.107 and dst port 1027" label="From-Botnet-V31-2-TCP-CC107-IRC-Not-Encrypted" # (e10) State:990t # NOT WORKING # Generated FP filter="src host 10.0.2.107 and tcp and synack and dst host 130.239.18.172 and dst port 6667" label="From-Botnet-V31-2-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 89.16.176.16 and dst port 6667" label="From-Botnet-V31-2-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 213.232.93.3 and dst port 6667" label="From-Botnet-V31-2-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 174.143.119.91 and dst port 6667" label="From-Botnet-V31-2-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 78.40.125.4 and dst port 6667" label="From-Botnet-V31-2-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 86.65.39.15 and dst port 6667" label="From-Botnet-V31-2-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 216.155.130.130 and dst port 6667" label="From-Botnet-V31-2-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 82.96.64.4 and dst port 6667" label="From-Botnet-V31-2-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 213.179.58.83 and dst port 6667" label="From-Botnet-V31-2-TCP-CC106-IRC-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 66.252.13.214 and dst port 2081" label="From-Botnet-V31-2-TCP-CC105-IRC-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 95.211.9.145 and dst port 80" label="From-Botnet-V31-2-TCP-CC104-HTTP-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 62.149.140.209 and dst port 80" label="From-Botnet-V31-2-TCP-CC103-HTTP" filter="src host 10.0.2.107 and tcp and synack and dst host 212.124.126.66 and dst port 80" label="From-Botnet-V31-2-TCP-CC102-HTTP-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 194.28.87.64 and dst port 80" label="From-Botnet-V31-2-TCP-CC101-HTTP-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 97.74.144.110 and dst port 80" label="From-Botnet-V31-2-TCP-CC100-HTTP-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 84.59.151.27 and dst port 3285" label="From-Botnet-V31-2-TCP-CC99-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 186.92.137.193 and dst port 2873" label="From-Botnet-V31-2-TCP-CC98-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 212.17.122.207 and dst port 3945" label="From-Botnet-V31-2-TCP-CC97-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 210.210.112.17 and dst port 7465" label="From-Botnet-V31-2-TCP-CC96-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 176.73.233.22 and dst port 6918" label="From-Botnet-V31-2-TCP-CC95-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 172.242.78.165 and dst port 6687" label="From-Botnet-V31-2-TCP-CC94-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 200.84.7.244 and dst port 8038" label="From-Botnet-V31-2-TCP-CC93-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 82.211.161.86 and dst port 2017" label="From-Botnet-V31-2-TCP-CC92-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 78.139.149.134 and dst port 3610" label="From-Botnet-V31-2-TCP-CC91-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 155.230.189.121 and dst port 6758" label="From-Botnet-V31-2-TCP-CC90-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 31.192.7.200 and dst port 5479" label="From-Botnet-V31-2-TCP-CC89-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 211.38.175.27 and dst port 4598" label="From-Botnet-V31-2-TCP-CC88-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 82.211.141.181 and dst port 5977" label="From-Botnet-V31-2-TCP-CC87-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 85.90.169.173 and dst port 6297" label="From-Botnet-V31-2-TCP-CC86-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 89.40.177.36 and dst port 2670" label="From-Botnet-V31-2-TCP-CC85-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 82.17.183.230 and dst port 3113" label="From-Botnet-V31-2-TCP-CC84-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 176.73.98.25 and dst port 6950" label="From-Botnet-V31-2-TCP-CC83-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 95.104.66.207 and dst port 7362" label="From-Botnet-V31-2-TCP-CC82-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 176.73.207.85 and dst port 7491" label="From-Botnet-V31-2-TCP-CC81-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 95.104.77.164 and dst port 3226" label="From-Botnet-V31-2-TCP-CC80-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 75.25.155.129 and dst port 1509" label="From-Botnet-V31-2-TCP-CC79-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 200.91.49.183 and dst port 5371" label="From-Botnet-V31-2-TCP-CC78-Custom-Encryption" # (e7) State:23Aattr filter="src host 10.0.2.107 and tcp and synack and dst host 61.135.188.210 and dst port 80" label="From-Botnet-V31-2-TCP-CC77-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 174.128.235.237 and dst port 88" label="From-Botnet-V31-2-TCP-CC76-HTTP-Custom-Port-Not-Encrypted-Binary-Download" # (e8) State:31sw0r0A0s0r0A0r0s0b0s0r0r0s filter="src host 10.0.2.107 and tcp and synack and dst host 222.73.45.135 and dst port 81" label="From-Botnet-V31-2-TCP-CC75-HTTP-Custom-Port-Not-Encrypted-Non-Periodic" # (e8) State:33CcccccccccccccCCcCttttccccttcttcccccccccccccccccccccCCcttcctccccccccccccccccccccccccccccccccccttttcccccccccccccccccccccccccccccccccctccctcccccccccccccccccccccccccccccCCcctCtttcccccccccccccccccccccccccccccccccctctttcccCtCtttCccc0rtCttccCcCccccccccccccccccccccccccccccCtcctcccccccccccccccccccccccccccccccccctttctcccccccccccttccccccccccccccccccccttcctcccCCccCCCCccttcCCCcCccccccccccccctcctccCCccCCccccccccccccCCcCCCccCCcCCtttttCCcccccccttccttcCCcCCcCcCCCccCccCCtcCtCCccCcCcttccccccccccccccccccccCcCtCctccccttCcccCccCCcccttcccttcccCCcccCtcctttcccCcccCcCCcCCCCcCCccCCcccccCCCCttttcccCttttttcccCcCcccccCCcCcCcttccctcctcccccccCCcccccttcccCccCccCcCcCCccttcctCccccccccccccccCCcccCCCCccccCCcCCttccttccccCCcCCCCcCCccccccccccccccttCctttttccCCcccCCcccCcccCtttCccttcccttcctctttccCCcCcCcttCcccttccccccccccccccccttttccccccccccccccccccccccccccccccccccctttttcccccccccccccccccccccccccccccccccttttccccccccccccccccccccccccccccccccccctttttcccccccccccccccccccccccccccccccccctttttcccccccccccccccccccccccccccccccccttcttccccccccccccccccccccccccccccccccccttttcccccccccccccccccccccccccccca filter="src host 10.0.2.107 and tcp and synack and dst host 222.189.228.111 and dst port 3389" label="From-Botnet-V31-2-TCP-CC74-HTTP-Custom-Port-Not-Encrypted" # (e4) State:71rarrrrrraaaaarrarrraaArrrrrraarrrrrrrraaaaaaa # (e6) State:71rrrrrrraaarrrrrwrrrraarrrrrwarrrarrrrrrrrarrrraarrrrrrrrraarararrrrrrrrarrarrrrrrrrrrrrrrrrrrrrrrrarraarrrrrrrrrabrrrrrarraarrrrrrrarrrrrarararrraararrrrraaarrrrrrrrarrsrrrarraaaararrrraaaaararaaaa # GOOD filter="src host 10.0.2.107 and tcp and synack and dst host 91.212.135.158 and dst port 5678" label="From-Botnet-V31-2-TCP-CC73-Not-Encrypted" # (e2) State:11arrAtaarrrrrrrrArrrrAAarrrArAtrrcrrrarcrrrraaCrrrrrAAArrrrrarrrAAarrrrrrrrrrrrrrrrrrrrr filter="src host 10.0.2.107 and tcp and synack and dst host 184.82.155.107 and dst port 80" label="From-Botnet-V31-2-TCP-CC70-Custom-Encryption" # (e2) State:31aarraarArArrAtrrAArrarrAAAACrArrrAAAAarrraraaArarrrArraarrrarrrarrrCaArraararAraaarArraaAttsrrraarrArArArrrrAaarrrarrAArrrArArrrArrarAaaAaarArArrArrrrrrrarrraAAAaAArrArraAaaaAArrrrrrrrrrrArrrrrraA filter="src host 10.0.2.107 and tcp and synack and dst host 184.82.147.251 and dst port 80" label="From-Botnet-V31-2-TCP-CC69-Custom-Encryption" # (e2) State:11aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaararrrrArrraraarraaaraAraraArararaaatrraArarrrrrraAarrCrrrrrrrrrrrrarrrrrrrArrArrrrrrrrrAarrrrrraArrrrrArrrrtrrrrrrrrrcrrArArrrrrrrrArrrtrrraaarrrrar filter="src host 10.0.2.107 and tcp and synack and dst host 184.82.148.43 and dst port 80" label="From-Botnet-V31-2-TCP-CC66-HTTP-Custom-Encryption" filter="src host 10.0.2.107 and tcp and synack and dst host 67.19.72.206 and dst port 80" label="From-Botnet-V31-2-TCP-CC63-HTTP-Not-Encrypted" # (e2) State:11aaaarrrrrAAarArrraAAraaarrrArrrrrarraAraarraaaa filter="src host 10.0.2.107 and tcp and synack and dst host 31.192.109.161 and dst port 80" label="From-Botnet-V31-2-TCP-CC56-HTTP-Not-Encrypted" # (e1) State:44ddi0z0i0i0i # Some TP. filter="src host 10.0.2.107 and tcp and synack and dst host 213.246.53.125 and dst port 5296" label="From-Botnet-V31-2-TCP-CC55-Custom-Encryption" # (e1) State:66fiffiiiiiffifffiffi filter="src host 10.0.2.107 and tcp and synack and dst host 222.88.205.195 and dst port 443" label="From-Botnet-V31-2-TCP-CC54-Custom-Encryption" # (e1) State:44DdddddddddfdddddddddddddddddddiddddddddDDddddddDddd filter="src host 10.0.2.107 and tcp and synack and dst host 31.192.109.167 and dst port 80" label="From-Botnet-V31-2-TCP-CC53-HTTP-Not-Encrypted" # (e9) State:46tFtwwttwwwwwwwwwwFfttwFCttffFwftCwwcCtftwttfFFtFwwwwwFwwFwcwfwcwt # (e9) State:53twwwtuwwtwwwwFCfcfwwCcFfFfFwwwcfCcwFwwwwffwwwcwtwtCtwtCFwwwCwtFcFcwwwtfttft # (e9) State:46fFcwwtttwwtCwFfFfwFFCtwwcFFwcCcttwttcwwFtwwtffwtwwwwwwwwwwwFvwws # GOOD filter="src host 10.0.2.107 and tcp and synack and dst host 195.190.13.78 and dst port 80" label="From-Botnet-V31-2-TCP-CC23-Plain-HTTP-Encrypted-Data" # (e9) State:46twtCtCftFwwttwwfFfffFctttttCwtCfFtwwwCtwcCttwfFCtwwwwwtwttw # (e9) State:46FwwwwwwFtctCtwFttwwcfCFwttCwFcwFtwwwwttwwCttwwtwtttwCwwtccwwwtws # (e9) State:43wtttftfFctwtcFttCtwtwtwwttwtttFwcwtfttCCCcttwcwwtfctwFwtwwts # (e9) State:43CFfwtwtttFwfwwwtwCFFwfttCfCCFCwtttwFFfwtFwtFwtwwtCftffFCwwtttwCt # (e9) State:46wwftttwtwwwtcFCwtFCFtwwFFfCwwttwwwtFtccwtwFFctFtwtcwftttfwCctCtwts # (e9) State:43wtwftwFwwwtCttftwwctwtwwtCCCfFwftFFwtfttttffwwwwCwwftwwCs # (e9) State:46fwwcCCtttwtwwtttfttFFwwfwwCwCcwwwCFtFCwwwCwFCftwtfFwwwfcwtwtCv # GOOD filter="src host 10.0.2.107 and tcp and synack and dst host 195.190.13.70 and dst port 80" label="From-Botnet-V31-2-TCP-CC20-Plain-HTTP-Encrypted-Data" # This one should match only in e1. In the rest should not be used # (e1) State:96fFIFIIFfiiiiIFFiFififfIfifIffIFfIfifIiiififIFfIfifIFifffiifIiIiIFiiFIifiiifIFfifiFIfHIIiififIFIIfigifIFIFII0zzIzwz0wzz0zzzziiIIiIFiifiiiiifIIFFFFfffifiiIFzzzzzwiIfizzzIFwzhhI0zw0zwwzwwfifIfIiiIIffiIiIiIfFiiifiiffffiiifiiiiffiififffiiiiffifiiffifiIIfifiiifffiIIizwIiIIiF #filter="src host 10.0.2.107 and tcp and synack and dst host 173.192.170.88 and dst port 80" label="From-Botnet-V31-2-TCP-CC16-HTTP-Not-Encrypted" # This one should be used in all the experiments except e1. # (e2) State:33tttstttrttswtttttttttcttttfctwtttttttcttttttttttcttcttttstttttttstttttrwtttttttttrrtt0tsttt0ttstrtttttttttttttttttcttttttttttttttrttt # (e9) State:33crttrttCtcAtttttsttttCawttttAttCtCAwtttCatttttrtttcCattCCttttrtttrttrtttttrtttttBtttCawttttrwttttrwtttttttttCswtCcatttrttttAwttrwtttAwttttt # (e9) State:33rwtttcrtttttrtttttsrttttCsttcCcAttttcBttttAttttbttttAtttrttttCAtttcrwtttrwtttcrrwttttrwtttcBrwtttrwtttCAttccAttttcAwtttcBwtCccB # (e9) State:63ttcrwtttCBwttttAsttttcBttcttsrttttbrttttrwtttAtwtttttrwtttctwttCtattttatttrttBrtttCtattttAtttttcCAttttrttCtrtttttrwtttC # (e9) State:13ttctAwtCtcBwtCtcsrttttrttttattttattttrtttrttrtttttsttCctawtttcrwtttbAwtttCBtttttrttttCawtcCCttttAttttAttttAttttrwtttcrw # (e9) State:33CCatttrrttttAttttatttattrttttcatttttrwtttcattttcswtcttctttttBwtcttAttttAttttattttattttattrttttcsttCtCAwtttCrttttCArwttttrwttttattttsttttFAttttsttttrtttstttt # (e9) State:33ttCAwtttCrtttttAttcCtawtttCatttCtAttttrttttBttttbttttrtttrttttcAwtttcrtttttsttcttrwttttstttttstttttstttttAsrACtttrtttttrttttr # (e9) State:63tCtswttttrwttCtstttttrwtcttswttttrrttCtrrttttattrwttwtrwttttstcCttrwttttwscttrtttttsrttttrttttrrttttstttrwttttrr # (e9) State:33tstttrttrttttCawtCttrrtttttbttttCAttttCattttCsttCcattttAttttatttrttrwtttcsttcttBttttCswttcsrwttttsttttCrwtccrttctrtttttttttAttttrttttc # (e9) State:11rrfttttswttttrttttrttttrttttrttttrttrtttttsrwtCttrwttttstttttstttttstttttrtttrttttsrrCtttrwtttt # (e9) State:63ttcsttttcstttttswCtctrwttttsttcttswttttrwctttrwtCttrttttrttttrttrtttttrwtCttrCttttrwtttstttttrFttttttttctsttCtrwttttrtCttrttttsttCtswttttrFt # # (e13) State:31trtrtttstrttwtsrtrtrtrtrtrtrtrtrtrttttCCtrtrtrtrtrtrtttrtrtrttttttttrtrtrtrtrtrtrtrtrtrtrtttttttrtrtrtrtrtrtrtrtrtrtrtttttttrtrtrtrtrtrtrtrtrtrtrtttttttrtrtrtrtrtrtrtrtrtrtrtttttttttrtrtrtrtrtrtrtrtttrtrttttrtrtrtrtrtrtrtrtrtrtttrtCtctttttbtttrtrtrtrtrtrtrtrtrtrtrtrtrtrtrtrtstrtrtrtrtrtrtrtrtrtrtrtrtrttrttrrtrtstttttttttttttttttttttcctttttttttttttcCtttctttwtttttttCtttttwttttttttttttttttrttttttrtrttrrrstsrttsttrsCttttsttcttttttttttcCttsttt . This one has some FP. # GOOD filter="src host 10.0.2.107 and tcp and synack and dst host 173.192.170.88 and dst port 80" label="From-Botnet-V31-2-TCP-CC16-HTTP-Not-Encrypted" # CC ###################### # These are all CC to port 6667 that are not irc, but some HTTP that sends 2 o 3 flows. Some worked, some not. filter="src host 10.0.2.107 and tcp and synack and dst host 213.92.8.4 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11rArrsrrrBArs # (e9) State:110rr # (e9) State:11rr # (e9) State:11r # (e9) State:11rr # (e9) State:11r # filter="src host 10.0.2.107 and tcp and synack and dst host 202.112.126.218 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r # (e9) State:110r # (e9) State:11r # (e13) State:110rr filter="src host 10.0.2.107 and tcp and synack and dst host 61.17.216.86 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11rrr # (e13) State:11r filter="src host 10.0.2.107 and tcp and synack and dst host 58.42.247.165 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11t # (e9) State:11r # (e9) State:110rr # (e9) State:11rs filter="src host 10.0.2.107 and tcp and synack and dst host 86.123.31.54 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:110r filter="src host 10.0.2.107 and tcp and synack and dst host 61.17.216.15 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r # (e9) State:11r # (e13) State:11rr filter="src host 10.0.2.107 and tcp and synack and dst host 200.171.4.222 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11rr # (e13) State:11rr0r filter="src host 10.0.2.107 and tcp and synack and dst host 218.189.208.34 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 217.34.4.226 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e2) State:11r # (e9) State:11r # (e13) State:110rr filter="src host 10.0.2.107 and tcp and synack and dst host 217.34.4.225 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11rr filter="src host 10.0.2.107 and tcp and synack and dst host 184.106.213.57 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 115.85.238.119 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 89.103.213.96 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 81.10.0.18 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r # (e9) State:320rt filter="src host 10.0.2.107 and tcp and synack and dst host 61.177.120.254 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r # (e9) State:11rr filter="src host 10.0.2.107 and tcp and synack and dst host 61.17.216.94 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r filter="src host 10.0.2.107 and tcp and synack and dst host 61.17.216.92 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e1) State:88yyy # (e2) State:11r # (e9) State:11rr filter="src host 10.0.2.107 and tcp and synack and dst host 61.17.216.4 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e13) State:11r filter="src host 10.0.2.107 and tcp and synack and dst host 61.17.216.25 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r filter="src host 10.0.2.107 and tcp and synack and dst host 61.17.216.22 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e1) State:88yzy # (e9) State:11t # (e13) State:11ss filter="src host 10.0.2.107 and tcp and synack and dst host 61.167.116.133 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e1) State:880y0y # (e9) State:22tr filter="src host 10.0.2.107 and tcp and synack and dst host 61.150.114.216 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 60.173.109.42 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 58.42.247.143 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e2) State:11r filter="src host 10.0.2.107 and tcp and synack and dst host 58.215.78.1 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 61.177.120.254 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 86.123.31.54 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 221.207.141.60 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:22rr # (e12) State:11rr # (e13) State:31rr filter="src host 10.0.2.107 and tcp and synack and dst host 219.232.102.130 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" # (e9) State:11r filter="src host 10.0.2.107 and tcp and synack and dst host 219.145.198.122 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 60.173.109.42 and dst port 6667" label="From-Botnet-V31-2-TCP-CC1-HTTP-Not-Encrypted" ################### 6667 filter="src host 10.0.2.107 and tcp and synack and dst host 208.110.80.34 and dst port 443" label="From-Botnet-V31-2-TCP-CC13-Custom-Encryption" # (e5) State:22rBACrtrtstr # (e9) State:17xggAaaAaAacrrAaCtasCrsAAaAcstAsAraCrraartrtrrtsszrrrt # (e9) State:31rrrrrrrrzrrrtrtrrtrrstrrrtrstttrrrtrrtrrszzrrrz # (e9) State:11rctararrtrtrtssrttrrtrtstrrraAbCrrrtsrsrttrrCrtrraarrriziztztzz # (e9) State:33rrrrrrrtsrrrrrrrrtttrrrtrrrrrrtrrrrrrtszzzzzzzssttAsrAbrBCtssAArbAAaabBAtaaAaBttasrraabAAaAAAraBrraaacrraBrttArCtrsAAbsaABrAcrsBrrABbbbaAabABrt # (e9) State:11rAaaaaaActsCrrcstsrBCrrCsrtrrBaBCrrCrrrtrtrrssAAcstrztstz # (e9) State:11rCrrcacstrraaAracrrBsBbaAaarCrraaAAAAaACttrssaCsrAaaaCtcaractrsrrBBAABcrrrraCtIrstz # (e9) State:33trrrtrstttrrrssrrtsrrtrtrrrrrrtrrtrtrsrsrsAAaBBACzzrztyz # (e9) State:13yrAtrxx0z # (e9) State:17rstzr # (e9) State:18ttgtttCarcrrCrrAaAAAaaCrtrrACrrrsCrzzIIsszz # (e13) State:18rbrrrrzxxyryrraAAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa # Weird... is it good? Does not seem so... # NOT GOOD filter="src host 10.0.2.107 and tcp and synack and dst host 91.220.0.52 and dst port 80" label="From-Botnet-V31-2-TCP-CC12-HTTP-Not-Encrypted" filter="src host 10.0.2.107 and tcp and synack and dst host 74.3.164.222 and dst port 443" label="From-Botnet-V31-2-TCP-CC7-Custom-Encryption" # (e1) State:88hhhyyhhh # (e2) State:11raArrrAA # (e9) State:11rABrrrrrrrrr # (e9) State:11rrrrArrrrrrr # (e9) State:11rrrasrrrAAAA # (e9) State:11rrrrrrrrArrr # (e9) State:11rArrrssraArr # (e9) State:11ArrrrrrrArrr # (e9) State:11rrrrrrrrAArr # (e9) State:11rrrArrrrAArr # (e9) State:11rrrrrrrrAArr # (e13) State:120tttCtCCtttCttt0rrrrrrAAAA0rr0rr # GOOD filter="src host 10.0.2.107 and tcp and synack and dst host 60.190.223.75 and dst port 888" label="From-Botnet-V31-2-TCP-CC6-Plain-HTTP-Encrypted-Data" # (e5) State:41rrrAr # (e9) State:41rrrrrrr # (e9) State:41rrrrrrr # (e9) State:41rrrrrrr # (e9) State:41rrrArrr # (e9) State:41rrrrrrr # (e9) State:41rrrrrrr # (e9) State:41rrrrrrA # (e9) State:41rrrrrrr # (e9) State:41rrrrrrA # (e9) State:41rrrrrrr # (e13) State:41rrrrr0uu0u0Drr0u0d # GOOD filter="src host 10.0.2.107 and tcp and synack and dst host 94.63.150.63 and dst port 80" label="From-Botnet-V31-2-TCP-CC5-Plain-HTTP-Encrypted-Data" # END CC # ########## # (e9) State:990f # (e9) State:990f # (e9) State:990c # (e9) State:990i # (e9) State:990i # (e9) State:990c # (e9) State:990f # (e9) State:990f # (e9) State:990c # (e9) State:990f filter="src host 10.0.2.107 and udp and con and dst host 188.72.241.107 and dst port 3524" label="From-Botnet-V31-2-UDP-Custom-Encryption-1" # (e9) State:33tttzttttwuvFCfffEwvzwwzHIFiIHIiiIIIIzttFvwEfFFEEfFwffffEwwswfwvaGDDhhbgdhhizziIzIIHIwvwfEuDddddidaadddddgdgiddgdgggdgggggdgggigggggiigihhhhhhfzzwiztzItwsyFfCffwsiefzffihIFIhIIzIIzziiccwzwwfefbewwEwfEbufzFzfFFBIzzzwzzhcvtwziztyyiIyzIIItwwweeEwwvcfiFwIIzfIIziizzizyzCtzwztvvfwffwwifffEzfhzwIBytFwzztzzzICzwyztvHhiiIiIIHHIzieyyIzIihICwzEwwtwCzttwttwwFEwfvEFFtEcFeFwBFeffbdbfwbfbFvftCfewsswefffAEEFBCFeBfwzzwiwwwiffwseedCwFifedufrufuGdhFIiFiFFEIvzrvIFzzzIbibiEIiihhHhehIIIIziiiIzFewwfEffvwEFwFcfFHCtwvEffsradddddhhhdhhchHyHiHhHiituvddddddddddedddgddddddgadgddgdddGgddgddggggGdgdggggdggghggGGggghgghGCyDHzbezIziziCzCcwvvFFfFuvFzuuadddddddgiFwEtzceIIhzzEyyIIzfGt filter="src host 10.0.2.107 and tcp and synack and dst host 212.117.177.186 and dst port 65500" label="From-Botnet-V31-2-TCP-Not-Encrypted-SMTP-Private-Proxy-6" # (e9) State:33CctttwwwFFFwwFwIFfIIFEcEdGdheifzwywiFifiFIiiihvtiiIIiIIiIiiiCIzwvwFFeFEfffFvEFvEfeiFwFfFCIFibiIdvEIvyDeIsyditiIiIziyzfuvwEDvFwFFcfcEEwtEbeFrsfzzizIiHyhhittwrwdddeeCcfFffFiiiifBHIiIzziiIzIwwwfwwtwwzEHCFvzihiiwIhzzzfiIzzIzIICtwwveFwwfffFvwEFfwECstfCzFwczIzwzIwzwIFiwztwtzcIiIiCizzzzztttwtFwFttwtwwwftczzFwwwFffttitttwCtwfCwwFFwFtcttttwwFtwwtzwwtwIzzwzfFwwCwcCtCwttttttsCtwtwwftttIwztwwziIFiztwtwwwwtCwwtFFFftCwwwftwt # (e9) State:33ctCcttCzztwwwfwfCcttttzttwttwwwtFwtczwzICcwtwzzzzzItzFttwwwwfwCtttzwtwFwwFCCCtttttwwwtCtztttzzwwtwwtczztwwwwwztzttwtwFwttwtztwftwfFFftttttttzt filter="src host 10.0.2.107 and tcp and synack and dst host 50.7.244.234 and dst port 65500" label="From-Botnet-V31-2-TCP-Not-Encrypted-SMTP-Private-Proxy-5" # (e9) State:12bAssCwtiwwwfFwfffIFfIHIfzzIHrrgeHdHDIwexDgadgDGddfizwfizzIizzIIIiitvItvvfwwtufwCFFfEFiifffhHIIziiiiIcvcvzHyhctzvwvwvwEFeffwweFcsFBcEwzwFeFwEEhFvzIiFzyziCfCsuzziiciIzzzzwrueFwwefeehFvIiHFHIHiiizizzcziwwwwFvwfeewywwIiiFIIfbEefFfwwwfEyFvzzIvzHIIiIIzizIczztwwwffeFFwwIibeFIzzIfHIIzywCvzIzIyzzctwtvDvwFCfwwIwwCcIwzwwtwwtttwttwtCttwwwwwIcctwwwwwftwttttwzwItzIcCzwcwtiIFtzwwwwCFCFfwwwwtwftztwwwwwcfccwFccttttCwwwftttttcwtzwtfCwctwtwFftwwttwwwffFttzzzzFCwifcwzwttwttwwwwFwwta filter="src host 10.0.2.107 and tcp and synack and dst host 89.149.217.37 and dst port 65500" label="From-Botnet-V31-2-TCP-Not-Encrypted-SMTP-Private-Proxy-4" # (e9) State:92vcvtwvwwwzFCwEwfwIiwFzzzzIizzzIiCtttzttzwwfffcFeEdGddghgitvzfzBwiFieIvzEdxdgbzeifiwywFBzzBHFIiyyIzIzIiIwwwEvfwwwFIfwtIiyIfihyhhhizIzicttwwvvFwFfFFzbwwzzvyIzziIyIIiIIcwwvfDwwffFrdddeddghdgddiwzFizIiiCIfIbFHwiIzwzCisiwwwwwwwzFtItzIIizztwffwwFCFFtIztwwwtzttzwwzwcwttCwFwwFFwtwtszitztzwIwwwcwtzztcFffFtwwFcczCwCwwwwwFFtfzwzttwwwFFtcFfwFwctttzFtwtFFwwwzcfttzttwwwFfwwCFttwwFFfCtwwwwwtttwwt # (e9) State:31vwArcttttzttttwwwwwewEfeiFtviIywzzzzziIhzzzztttttwwvdvEFwffIFFHzzfIEIcwzwzfIfifFFifieiHhihFwIHzIiiIziwiiIyxHhyyhdgDgddddaeFFIwfIIcECtwzICccwtwzzciffzwiftwCwCcIttwctttczzzIzfwwwffCcffctzztItiCitwtwwztwtzFwtCwwzfFwttwFtIwwtIFwtwtiFitICztttwzwztwttzwztffttwzwwwfcwFwczcizttwwwFtcfwfwfzCctztwwwtitwwtwfwFtCzcwztwtzIFIzzzzzzzzzFzwwzwwwzt # (this looks good but gave FP! I will delete it, but has to be analyzed...) filter="src host 10.0.2.107 and tcp and synack and dst host 212.117.161.86 and dst port 65500" label="From-Botnet-V31-2-TCP-Not-Encrypted-SMTP-Private-Proxy-3" # (e9) State:12aAIAbtwtttcttwwvFFfbuddddfCwvffffIiicfFEEhyHGHyivEiHIIIIIihzzzIiIIyziIiIIwttwvwEueddeDFdfvwzvfFBfEwvwtwCzeduhbIFFziiziIHDGGizziHGyhhhhizCwvwFfEEFFfeefEFFveDDddaadddddddddggddddefzwigyIbwIHwHHIhIzbiBhgHIIiihIIiIiIwwvvwedvvFCewbFEvDdeeIEfEuGeGwzIIfIfIiziiiizizIIcwwvwweeiDeFwwewwFffieFHwwIFIIhGDggdgghghgizzIIHzbIIzhzIiztzztzztwtwzttwtwtwtztvwefEwtwfEvFDIwEFFIfIHCwzzcICzcItztIczttIwztcffwtfFtwFwICCwwctwwwFwwtBsCzwtttfwFwtCtfwtwICcczwwtIFFwCCztzctwwzwwzfCftFwFtftzwwwFwzwtFzszcCttwztwwwzttwtwwwwfwwtstwwttwFwffcwCFtwtCtt filter="src host 10.0.2.107 and tcp and synack and dst host 212.117.177.188 and dst port 65500" label="From-Botnet-V31-2-TCP-Not-Encrypted-SMTP-Private-Proxy-2" # (e1) State:96iIIiFfiiIiiIIIfiIIIiiiiiiiiIfIiIIIiiiiIFiFIiwzwwzzIIiF0wzwzzfi0wwwwwzFzwFw0wwwwfiiw0wwzwww0wwwwwfwww0wwzwiwwwziwzwF0wwwfwwwwwwwwzzwzziifiiiiifdffwwz0wzwiidfFIFFdiDFIIwzziiiiwwzfwwweiFFwwFFwwFEfi0wwwwFfww0wwzIfifei0ww0wwzeifeewwFFwwwwvziifffifefIFiifiiffffFFFIiIiiiiiiiiiiiIIIIIiiiiiiiiiiiiiiiiiiiiiiiiiifhiiiiiiiIIiFfFeFfFFFFFfFff # (e2) State:11AaaDBAAaabuAabCzzttwtztwttztztwtCtttwt0twzzzttzttttztttzzt0tztzzz0ttzzztzzttztztzFICwwttzzz0tttztsztrt0tt0ttttettAC0ttttt0tttt0ttt0tt0ttrstCtttstzzcztztctsttstttwwtBrzBsCsrttrvaaztsctwszvzfrttrttczttrsBtwt # (e5) State:64udddddddhedhdHhEdhhiaIHhHHbHHihhFwiwuwvtrzryfwubivwtsucivwwztwwfcfIcczECCftzewvwsBAxHvscIgvEgdDcddddddddddhgdddhgaHHighEhhhHHhHIhhHhDHgeeaeiebhahBCyyADeDDeHHiEeehBAIicruhadhftwttr # (e9) State:52cttttwwzwwwzticItztttCttttztzzttttwtFwwtCtzttztzztzzztcFwtztzwwwFwztzwwzffftCIwtwcwtwIwwtttwtwwwwtwzIztIwiItzztIwIzzztFFiItiwzizztIFicztIItzIzzzttzwtzwwFwwCitwwwfFwwwwfCiwfzzzFzzztIzIIIIzzfwFwwFwtatztwtffvFzwtFtwCztwtFFfwwFCFwrtctFwwbtzthwfwwwwcwwwcFwwffFttwwwwfFCFFwzwzwziizzIzIzItzzyzyztt # (e13) State:23tctzwFwwwtzffewtizzCtzIICwzwCiftFtzttztzwtwwwtwtttttFwwwwwwwFwifwIziczwzzzIICIIiiIIwttyCwttffFFttwIytwFztycfftwwwCwIwwytwigztttwyzwtttCwvwtwwfcCFsttzztwttztwtItttwzwwwtttiwttttwFwvwzffFFfIffiztIfIzzzIIzwIwzfwwwFiwwwbtfswszztzwcwtzCttwwzsttwzuwFzzzIzFyztztwwwfffFIFzwwzzzzIiwzzzwwzwzwywzvzwICzztwvwvwFwwFfiffiIFwzztzzztIIIzzzzzwwwwFwwtzcwzftwzCwFzwwwwwwwwwwCIFwIzwztzzzzzzzzzzztwtwwwwwwFffffcwfzwfIzffFiiiizzwzziFIztttwtwwwwtttwtttttzttttttttttwctczwwzIciCzzzwtIwItwwwwwwwFwftFCFfwFzyftwfcItIwwffFzttzFIwwttztztwwytwIFfiewwcwzetwFIezwAyrEtFxzyszzxywAIIztzwtFCfCcwwFwwwwCwtwwwFiItfFwzzCizzzittttttztwwttttttwuvdDeddddDaedDDdbdddgahededddhehehhhhbGhEAdehEhhhhhhbdCzt filter="src host 10.0.2.107 and tcp and synack and dst host 212.117.171.138 and dst port 65500" label="From-Botnet-V31-2-TCP-Not-Encrypted-SMTP-Private-Proxy-1" # (e13) State:990s filter="src host 10.0.2.107 and tcp and synack and dst host 74.3.164.222 and dst port 443" label="From-Botnet-V31-2-TCP-Established-Custom-Encryption-8" filter="src host 10.0.2.107 and tcp and synack and dst host 74.3.164.224 and dst port 443" label="From-Botnet-V31-2-TCP-Established-Custom-Encryption-8" # (e9) State:660t # (e9) State:11AaaaaactarAF0w0t # (e9) State:11aAAcrtw0w0w filter="src host 10.0.2.107 and tcp and synack and dst host 204.12.208.59 and dst port 443" label="From-Botnet-V31-2-TCP-Established-Custom-Encryption-7" # (e2) State:190z0z filter="src host 10.0.2.107 and tcp and synack and dst host 184.154.89.154 and dst port 8735" label="From-Botnet-V31-2-TCP-Established-Custom-Encryption-6" # (e2) State:11ai0z0i filter="src host 10.0.2.107 and tcp and synack and dst host 173.236.31.226 and dst port 7212" label="From-Botnet-V31-2-TCP-Established-Custom-Encryption-5" # (e2) State:660f0c # (e9) State:660c # (e9) State:660C # (e9) State:660c filter="src host 10.0.2.107 and tcp and synack and dst host 83.133.119.197 and dst port 65520" label="From-Botnet-V31-2-TCP-Established-Custom-Encryption-4" # (e1) State:990iz0z filter="src host 10.0.2.107 and tcp and synack and dst host 78.129.227.128 and dst port 5231" label="From-Botnet-V31-2-TCP-Established-Custom-Encryption-3" filter="src host 10.0.2.107 and tcp and synack and dst host 78.129.163.119 and dst port 6251" label="From-Botnet-V31-2-TCP-Established-Custom-Encryption-2" # TCP Actions. Same state, same label filter="src host 10.0.2.107 and tcp and synack and dst host 65.55.72.7 and dst port 443" label="From-Botnet-V31-2-TCP-Established-Custom-Encryption-1" # UDP Actions. Same state, same label filter="src host 10.0.2.107 and udp and con and dst host 222.160.227.154 and dst port 32234" label="From-Botnet-V31-2-UDP-Established-P2P-Not-Encrypted-1" filter="src host 10.0.2.107 and udp and con and dst host 219.133.60.36 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.107 and udp and con and dst host 58.60.14.37 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.107 and udp and con and dst host 219.133.49.171 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.107 and udp and con and dst host 58.60.15.39 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-2" filter="src host 10.0.2.107 and udp and con and dst host 112.90.138.160 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.16.12 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.16.244 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.16.10 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.49.126 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 112.90.86.181 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.48.105 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.49.31 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.49.123 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 119.147.45.89 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 112.90.86.183 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 119.147.45.15 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.49.124 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.48.104 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.16.16 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.49.30 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.16.17 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 112.90.86.182 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.49.33 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 112.95.240.134 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 112.90.86.184 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.48.101 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 112.95.240.74 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 119.147.45.254 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 119.147.45.251 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.48.103 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 183.60.16.15 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" filter="src host 10.0.2.107 and udp and con and dst host 119.147.45.253 and dst port 8000" label="From-Botnet-V31-2-UDP-Established-Custom-Encryption-1" # From Botnet to Google filter="src host 10.0.2.107 and tcp and synack and dst net 195.113.214.0/24 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Google-Net-Established-1" filter="src host 10.0.2.107 and tcp and synack and dst net 209.85.148.0/24 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Google-Net-Established-2" filter="src host 10.0.2.107 and tcp and synack and dst net 173.194.112.0/24 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Google-Net-Established-3" filter="src host 10.0.2.107 and tcp and synack and dst net 173.194.113.0/24 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Google-Net-Established-4" filter="src host 10.0.2.107 and tcp and synack and dst net 173.194.114.0/24 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Google-Net-Established-5" filter="src host 10.0.2.107 and tcp and synack and dst net 74.125.0.0/16 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Google-Net-Established-6" filter="src host 10.0.2.107 and tcp and synack and dst net 209.85.149.0/24 and dst port 80" label="From-Botnet-V31-2-TCP-HTTP-Google-Net-Established-7" # From botnet to Java update filter="src host 10.0.2.107 and tcp and synack and dst host 72.5.123.29 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Java-1" # From botnet to Adobe update filter="src host 10.0.2.107 and tcp and synack and dst host 66.235.128.158 and dst port 443" label="From-Botnet-V31-2-TCP-Established-HTTP-SSL-Adobe-5" filter="src host 10.0.2.107 and tcp and synack and dst host 195.113.232.91 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Adobe-4" filter="src host 10.0.2.107 and tcp and synack and dst host 193.45.10.152 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Adobe-3" filter="src host 10.0.2.107 and tcp and synack and dst host 193.45.10.168 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Adobe-2" filter="src host 10.0.2.107 and tcp and synack and dst host 217.212.238.64 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-Adobe-1" # From botnet to AVG filter="src host 10.0.2.107 and tcp and synack and dst host 66.235.133.14 and dst port 80" label="From-Botnet-V31-2-TCP-Established-To-AVG-1" # From botnet to Microsoft filter="src host 10.0.2.107 and tcp and synack and dst host 64.4.56.87 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-To-Microsoft-Live-3" filter="src host 10.0.2.107 and tcp and synack and dst host 65.54.234.75 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-To-Microsoft-Live-2" filter="src host 10.0.2.107 and tcp and synack and dst host 94.245.116.9 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-To-Microsoft-Live-1" filter="src host 10.0.2.107 and tcp and synack and dst host 64.4.56.103 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-To-Microsoft-7" filter="src host 10.0.2.107 and tcp and synack and dst host 64.4.2.109 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-To-Microsoft-6" filter="src host 10.0.2.107 and tcp and synack and dst host 64.4.56.23 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-To-Microsoft-5" filter="src host 10.0.2.107 and tcp and synack and dst host 65.55.75.231 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-To-Microsoft-4" filter="src host 10.0.2.107 and tcp and synack and dst host 65.55.72.7 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-To-Microsoft-3" filter="src host 10.0.2.107 and tcp and synack and dst host 64.4.52.169 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-To-Microsoft-2" filter="src host 10.0.2.107 and tcp and synack and dst host 65.55.13.243 and dst port 80" label="From-Botnet-V31-2-TCP-Established-HTTP-To-Microsoft-1" filter="src host 10.0.2.107 and tcp and synack and dst host 65.54.186.10 and dst port 443" label="From-Botnet-V31-2-TCP-Established-SSL-To-Microsoft-7" filter="src host 10.0.2.107 and tcp and synack and dst host 65.55.40.23 and dst port 443" label="From-Botnet-V31-2-TCP-Established-SSL-To-Microsoft-6" filter="src host 10.0.2.107 and tcp and synack and dst host 65.54.234.78 and dst port 443" label="From-Botnet-V31-2-TCP-Established-SSL-To-Microsoft-5" filter="src host 10.0.2.107 and tcp and synack and dst host 65.55.16.187 and dst port 443" label="From-Botnet-V31-2-TCP-Established-SSL-To-Microsoft-4" filter="src host 10.0.2.107 and tcp and synack and dst host 65.54.234.24 and dst port 443" label="From-Botnet-V31-2-TCP-Established-SSL-To-Microsoft-3" filter="src host 10.0.2.107 and tcp and synack and dst host 65.55.40.215 and dst port 443" label="From-Botnet-V31-2-TCP-Established-SSL-To-Microsoft-2" filter="src host 10.0.2.107 and tcp and synack and dst host 157.55.0.135 and dst port 443" label="From-Botnet-V31-2-TCP-Established-SSL-To-Microsoft-1" ######################### # Generic for this Botnet # Netbios requests from botnet in the lan filter="src host 10.0.2.107 and udp and not con and dst port 137" label="From-Botnet-V31-2-UDP-Attempt-NetBIOS" # States are too different... maybe can be splited... filter="src host 10.0.2.107 and tcp and synack and dst port 80" label="From-Botnet-V31-2-TCP-WEB-Established" filter="src host 10.0.2.107 and tcp and synack and dst port 443" label="From-Botnet-V31-2-TCP-WEB-Established-SSL" filter="src host 10.0.2.107 and tcp and synack and dst port 25" label="From-Botnet-V31-2-TCP-Established-SPAM" filter="src host 10.0.2.107 and tcp and synack and dst port 587" label="From-Botnet-V31-2-TCP-Established-SPAM" filter="src host 10.0.2.107 and tcp and syn and dst port 25" label="From-Botnet-V31-2-TCP-Attempt-SPAM" filter="src host 10.0.2.107 and tcp and syn and dst port 587" label="From-Botnet-V31-2-TCP-Attempt-SPAM" filter="src host 10.0.2.107 and tcp and synack" label="From-Botnet-V31-2-TCP-Established" filter="src host 10.0.2.107 and tcp and syn" label="From-Botnet-V31-2-TCP-Attempt" filter="src host 10.0.2.107 and udp and con and dst port 53" label="From-Botnet-V31-2-UDP-DNS" filter="src host 10.0.2.107 and udp and not con and dst port 53" label="From-Botnet-V31-2-UDP-Attempt-DNS" filter="src host 10.0.2.107 and udp and not con" label="From-Botnet-V31-2-UDP-Attempt" filter="src host 10.0.2.107 and udp and con" label="From-Botnet-V31-2-UDP-Established" # ARP filter="src host 10.0.2.107 and arp" label="From-Botnet-V31-2-ARP" ############################################################################################################################################################### ############### # Generic rules # grill filter="src host 147.32.84.164" label="From-Normal-V31-Grill" filter="dst host 147.32.84.164" label="To-Background-Grill" # jist filter="src host 147.32.84.134" label="From-Normal-V31-Jist" filter="dst host 147.32.84.134" label="To-Background-Jist" # stribrek filter="src host 147.32.84.170" label="From-Normal-V31-Stribrek" # stribrek connecting repetitively to an audio stream web page that is down! filter="src host 147.32.84.170 and tcp and synack and dst host 195.24.232.205 and dst port 80" label="From-Normal-V31-Stribrek-TCP-HTTP-Audio-stream-web-page-down" filter="dst host 147.32.84.170" label="To-Background-Stribrek" # matlab server filter="src host 147.32.87.11" label="From-Normal-V31-MatLab-Server" filter="dst host 147.32.87.11" label="To-Background-MatLab-Server" # webserver FIXXXXXXXX filter="src host 147.32.87.36" label="From-Normal-V31-CVUT-WebServer" filter="dst host 147.32.87.36" label="To-Background-CVUT-WebServer" # ntp server UDP 82.208.56.89 77.78.110.71 filter="dst host 82.208.56.89 and dst port 123 and udp" label="To-Normal-V31-UDP-NTP-server" # Normal lables filter="(src host 147.32.1.20 or src host 147.32.80.9) and src port 53 and udp" label="From-Normal-V31-UDP-CVUT-DNS-Server" filter="(dst host 147.32.1.20 or dst host 147.32.80.9) and dst port 53 and udp" label="To-Background-UDP-CVUT-DNS-Server" # proxy filter="src host 147.32.80.13" label="From-Background-CVUT-Proxy" filter="dst host 147.32.80.13" label="To-Background-CVUT-Proxy" # Background from CVUT we are not sure about if they are completely normal. # exile 147.32.80.76 filter="host 147.32.80.76" label="Background-Exile-Host-CVUT" # smith 147.32.80.72 filter="host 147.32.80.72" label="Background-Smith-Host-CVUT" # smith2 147.32.80.184 filter="host 147.32.80.184" label="Background-Smith2-Host-CVUT" # jones 147.32.80.102 filter="host 147.32.80.102" label="Background-Jones-Host-CVUT" # webdav.agents 147.32.80.109 filter="host 147.32.80.109" label="Background-Webdav.agents-Host-CVUT" # knock 147.32.80.75 filter="host 147.32.80.75" label="Background-Knock-Host-CVUT" # agents 147.32.80.88 filter="host 147.32.80.88" label="Background-Agents-Host-CVUT" # vmm 147.32.83.60 filter="host 147.32.83.60" label="Background-Vmm-Host-CVUT" # info336 147.32.80.73 filter="host 147.32.83.73" label="Background-Info336-Host-CVUT" # cs 147.32.80.1 filter="host 147.32.80.1" label="Background-CS-Host-CVUT" # www.fel.cvut.cz 147.32.192.13 filter="host 147.32.192.13" label="Background-www.fel.cvut.cz" # cmpgw-27.felk.cvut.cz 147.32.84.59 (not sure if everything is normal) filter="host 147.32.84.59 and not con" label="Background-Attempt-cmpgw-CVUT" filter="host 147.32.84.59 and con" label="Background-Established-cmpgw-CVUT" ########################## # Background from Internet # google-analytics filter="host 74.125.232.192" label="Background-google-analytics1" filter="host 74.125.232.193" label="Background-google-analytics2" filter="host 74.125.232.194" label="Background-google-analytics3" filter="host 74.125.232.195" label="Background-google-analytics4" filter="host 74.125.232.196" label="Background-google-analytics5" filter="host 74.125.232.197" label="Background-google-analytics6" filter="host 74.125.232.198" label="Background-google-analytics7" filter="host 74.125.232.199" label="Background-google-analytics8" filter="host 74.125.232.200" label="Background-google-analytics9" filter="host 74.125.232.201" label="Background-google-analytics10" filter="host 74.125.232.202" label="Background-google-analytics11" filter="host 74.125.232.203" label="Background-google-analytics12" filter="host 74.125.232.204" label="Background-google-analytics13" filter="host 74.125.232.205" label="Background-google-analytics14" filter="host 74.125.232.206" label="Background-google-analytics15" filter="host 74.125.232.207" label="Background-google-analytics16" # google-webemail filter="host 74.125.232.213" label="Background-google-webmail" # google-pop-email filter="host 74.125.39.108" label="Background-google-pop" # ajax.googleapis.com filter="host 209.85.149.95" label="Background-ajax.google" # Windows update filter="host 207.200.96.138 and port 80" label="Normal-V31-HTTP-windowsupdate" filter="host 74.125.218.80 and port 80" label="Normal-V31-HTTP-windowsupdate" filter="host 207.200.96.138 and port 80" label="Normal-V31-HTTP-windowsupdate" filter="host 74.125.108.212 and port 80" label="Normal-V31-HTTP-windowsupdate" filter="host 74.125.108.199 and port 80" label="Normal-V31-HTTP-windowsupdate" # Normal generic rules. Be careful. # Google talk voice and video. filter="udp and con and dst net 74.125.47.0/24 and dst port 19295" label="Background-UDP-Google-Voice-Video-Net-Established-1" # Google, imac of jabber chat. filter="tcp and synack and dst net 209.85.163.0/24 and dst port 5222" label="Background-TCP-Google-Jabber-Chat-Net-Established-1" # NTP filter="udp and con and dst port 123" label="Background-UDP-NTP-Established-1" ######################### # Final Background labels filter="tcp and synack" label="Background-TCP-Established" filter="tcp and syn" label="Background-TCP-Attempt" filter="udp and con" label="Background-UDP-Established" filter="udp and not con" label="Background-UDP-Attempt" filter="" label="Background"