Based on talk presented at FloCon 2020. Please check abstract and presentation slides at the conference website.
import sys, os, json
import numpy as np
import pandas as pd
pd.set_option('display.max_colwidth', 75)
import matplotlib.pylab as plt
import matplotlib.dates as mdates
from sysflow.reader import FlattenedSFReader
from sysflow.formatter import SFFormatter
# Utility functions for highlighting dataframe rows
def highlight_path(r):
return ['background-color: yellow' if 'exfil' in r['file.path'] else ''] * len(cols)
def highlight_ip(r):
if r['net.dip'].startswith('104'):
return ['background-color: yellow'] * len(_cols)
if r['net.dip'].startswith('158'):
return ['background-color: cyan'] * len(_cols)
return [''] * len(_cols)
# trace sources and dataframe column selections
trace = '../../data/attacks/express/mon.1531776712.sf'
_trace = '../../data/attacks/express/mon.1531776742.sf'
cols=['ts_uts', 'endts_uts', 'type', 'opflags', 'proc.pid', 'proc.tid', 'proc.exe', 'file.path', 'flow.rbytes', 'flow.wbytes', 'container.imageid']
cols_=['ts_uts', 'type', 'opflags', 'pproc.pid', 'proc.pid', 'pproc.exe', 'proc.exe', 'proc.args']
_cols=['ts_uts', 'type', 'opflags', 'proc.pid', 'pproc.exe', 'proc.exe', 'proc.args', 'net.sip', 'net.sport', 'net.dip', 'net.dport', 'flow.rbytes', 'flow.wbytes']
# Initial indicator of compromise
reader = FlattenedSFReader(trace)
query = 'type = FF and file.type = f and opflags contains WRITE and proc.name pmatch (http_server_binaries)'
formatter = SFFormatter(reader, defs=['sfql/defs.yaml'])
df = formatter.toDataframe(expr=query, fields=cols)
df.style.apply(highlight_path, axis=1)
ts_uts | endts_uts | type | opflags | proc.pid | proc.tid | proc.exe | file.path | flow.rbytes | flow.wbytes | container.imageid | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | 1531776715030353952 | 1531776715030578781 | FF | W T | 2025 | 12406 | /usr/local/bin/node | /tmp/exfil.py | 0 | 6537 | 55f142ac5da7d234c7bba0662149e26bada9c6baaf504f632e13c840206fab7b |
# Policies can also be defined and reused
reader = FlattenedSFReader(trace)
formatter = SFFormatter(reader, defs=['sfql/defs.yaml'])
df = formatter.toDataframe(expr='suspicious_webserver_writes', fields=cols)
df.style.apply(highlight_path, axis=1)
ts_uts | endts_uts | type | opflags | proc.pid | proc.tid | proc.exe | file.path | flow.rbytes | flow.wbytes | container.imageid | |
---|---|---|---|---|---|---|---|---|---|---|---|
0 | 1531776715030353952 | 1531776715030578781 | FF | W T | 2025 | 12406 | /usr/local/bin/node | /tmp/exfil.py | 0 | 6537 | 55f142ac5da7d234c7bba0662149e26bada9c6baaf504f632e13c840206fab7b |
# Finding all process executions involving suspicious script
reader = FlattenedSFReader(trace)
query = 'type = PE and opflags = EXEC and (proc.aname contains exfil.py or proc.args contains exfil.py or file.path contains exfil.py)'
formatter = SFFormatter(reader)
df = formatter.toDataframe(expr=query, fields=cols_)
df.head(20)
ts_uts | type | opflags | pproc.pid | proc.pid | pproc.exe | proc.exe | proc.args | |
---|---|---|---|---|---|---|---|---|
0 | 1531776715041743005 | PE | EXEC | 2025 | 17753 | /usr/local/bin/node | /bin/sh | -c /tmp/exfil.py -a |
1 | 1531776715049024767 | PE | EXEC | 17753 | 17754 | /bin/sh | /tmp/exfil.py | /tmp/exfil.py -a |
2 | 1531776715077890260 | PE | EXEC | 17754 | 17757 | /tmp/exfil.py | /tmp/exfil.py | /tmp/exfil.py -a |
3 | 1531776715078056634 | PE | EXEC | 17754 | 17757 | /tmp/exfil.py | /tmp/exfil.py | /tmp/exfil.py -a |
4 | 1531776715078110412 | PE | EXEC | 17754 | 17757 | /tmp/exfil.py | /tmp/exfil.py | /tmp/exfil.py -a |
5 | 1531776715078162793 | PE | EXEC | 17754 | 17757 | /tmp/exfil.py | /tmp/exfil.py | /tmp/exfil.py -a |
6 | 1531776715078210871 | PE | EXEC | 17754 | 17757 | /tmp/exfil.py | /tmp/exfil.py | /tmp/exfil.py -a |
7 | 1531776715078687969 | PE | EXEC | 17754 | 17757 | /tmp/exfil.py | /usr/bin/apt-get | update |
8 | 1531776716574185341 | PE | EXEC | 17757 | 17758 | /usr/bin/apt-get | /usr/bin/apt-get | --print-foreign-architectures |
9 | 1531776718037729035 | PE | EXEC | 17757 | 17767 | /usr/bin/apt-get | /usr/bin/apt-get | |
10 | 1531776721816616574 | PE | EXEC | 13526 | 17819 | /bin/bash | /bin/more | exfil.py |
11 | 1531776724236565898 | PE | EXEC | 17757 | 17826 | /usr/bin/apt-get | /usr/lib/apt/methods/gpgv | |
12 | 1531776735465803137 | PE | EXEC | 17757 | 18005 | /usr/bin/apt-get | /usr/bin/dpkg | --print-foreign-architectures |
13 | 1531776738136774803 | PE | EXEC | 17757 | 18043 | /usr/bin/apt-get | /usr/bin/dpkg | --print-foreign-architectures |
14 | 1531776738141911192 | PE | EXEC | 17754 | 18062 | /tmp/exfil.py | /tmp/exfil.py | /tmp/exfil.py -a |
15 | 1531776738142131579 | PE | EXEC | 17754 | 18062 | /tmp/exfil.py | /tmp/exfil.py | /tmp/exfil.py -a |
16 | 1531776738142187946 | PE | EXEC | 17754 | 18062 | /tmp/exfil.py | /tmp/exfil.py | /tmp/exfil.py -a |
17 | 1531776738142269667 | PE | EXEC | 17754 | 18062 | /tmp/exfil.py | /tmp/exfil.py | /tmp/exfil.py -a |
18 | 1531776738142313320 | PE | EXEC | 17754 | 18062 | /tmp/exfil.py | /tmp/exfil.py | /tmp/exfil.py -a |
19 | 1531776738142823237 | PE | EXEC | 17754 | 18062 | /tmp/exfil.py | /usr/bin/apt-get | install -y python-pip |
# Finding all network flows related to suspicious script
reader = FlattenedSFReader(_trace)
query = 'type = NF and (proc.aname contains exfil.py or proc.args contains exfil.py or file.path contains exfil.py)'
formatter = SFFormatter(reader)
df = formatter.toDataframe(expr=query, fields=_cols)
df.style.apply(highlight_ip, axis=1)
ts_uts | type | opflags | proc.pid | pproc.exe | proc.exe | proc.args | net.sip | net.sport | net.dip | net.dport | flow.rbytes | flow.wbytes | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
0 | 1531776749323345932 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46279 | 172.21.0.10 | 53 | 320 | 0 |
1 | 1531776749324776862 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 39251 | 172.21.0.10 | 53 | 304 | 0 |
2 | 1531776749325392304 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 44331 | 172.21.0.10 | 53 | 296 | 0 |
3 | 1531776749325972739 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49696 | 172.21.0.10 | 53 | 226 | 0 |
4 | 1531776749329986463 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 47186 | 169.60.148.30 | 443 | 6382 | 632 |
5 | 1531776749458675855 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46512 | 172.21.0.10 | 53 | 304 | 0 |
6 | 1531776749459347173 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 52863 | 172.21.0.10 | 53 | 288 | 0 |
7 | 1531776749460760552 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 37776 | 172.21.0.10 | 53 | 280 | 0 |
8 | 1531776749461295738 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 38725 | 172.21.0.10 | 53 | 205 | 0 |
9 | 1531776749462580967 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 38904 | 158.85.156.21 | 443 | 5737 | 960 |
10 | 1531776749527272268 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 33926 | 172.21.0.10 | 53 | 352 | 0 |
11 | 1531776749527807756 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49201 | 172.21.0.10 | 53 | 336 | 0 |
12 | 1531776749528359961 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 50564 | 172.21.0.10 | 53 | 328 | 0 |
13 | 1531776749528993416 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 39456 | 172.21.0.10 | 53 | 188 | 0 |
14 | 1531776750030532267 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 47198 | 172.21.0.10 | 53 | 304 | 0 |
15 | 1531776750031742949 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46620 | 172.21.0.10 | 53 | 288 | 0 |
16 | 1531776750032880999 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49205 | 172.21.0.10 | 53 | 280 | 0 |
17 | 1531776750033763223 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 43077 | 172.21.0.10 | 53 | 190 | 0 |
18 | 1531776750090887892 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 36620 | 104.244.42.66 | 443 | 0 | 0 |
19 | 1531776750123097758 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 56888 | 104.244.42.194 | 443 | 5587 | 1162 |
20 | 1531776750667541758 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 37846 | 172.21.0.10 | 53 | 304 | 0 |
21 | 1531776750669694633 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 47968 | 172.21.0.10 | 53 | 288 | 0 |
22 | 1531776750670502493 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 57530 | 172.21.0.10 | 53 | 280 | 0 |
23 | 1531776750671273236 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 50703 | 172.21.0.10 | 53 | 190 | 0 |
24 | 1531776750676558435 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 50061 | 104.244.42.194 | 443 | 0 | 0 |
25 | 1531776750716241723 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42244 | 104.244.42.66 | 443 | 5587 | 1161 |
26 | 1531776751047667381 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 58157 | 172.21.0.10 | 53 | 304 | 0 |
27 | 1531776751048836417 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 52815 | 172.21.0.10 | 53 | 288 | 0 |
28 | 1531776751049798453 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42198 | 172.21.0.10 | 53 | 280 | 0 |
29 | 1531776751050798489 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 53156 | 172.21.0.10 | 53 | 202 | 0 |
30 | 1531776751053492715 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49178 | 104.244.42.194 | 443 | 0 | 0 |
31 | 1531776751094765854 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54726 | 104.244.42.2 | 443 | 5586 | 1160 |
32 | 1531776751621272416 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 47893 | 172.21.0.10 | 53 | 304 | 0 |
33 | 1531776751622109581 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 34064 | 172.21.0.10 | 53 | 288 | 0 |
34 | 1531776751623330621 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 50322 | 172.21.0.10 | 53 | 280 | 0 |
35 | 1531776751624350770 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51050 | 172.21.0.10 | 53 | 202 | 0 |
36 | 1531776751625641938 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40589 | 104.244.42.130 | 443 | 0 | 0 |
37 | 1531776751658840180 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 56912 | 104.244.42.194 | 443 | 5586 | 1159 |
38 | 1531776751945226134 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51495 | 172.21.0.10 | 53 | 304 | 0 |
39 | 1531776751945932695 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 45241 | 172.21.0.10 | 53 | 288 | 0 |
40 | 1531776751946433917 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 33063 | 172.21.0.10 | 53 | 280 | 0 |
41 | 1531776751947895862 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 53373 | 172.21.0.10 | 53 | 190 | 0 |
42 | 1531776751949123708 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49685 | 104.244.42.2 | 443 | 0 | 0 |
43 | 1531776751981518583 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51316 | 104.244.42.130 | 443 | 5583 | 1158 |
44 | 1531776752493835765 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 48583 | 172.21.0.10 | 53 | 304 | 0 |
45 | 1531776752494971766 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49273 | 172.21.0.10 | 53 | 288 | 0 |
46 | 1531776752495803869 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 45243 | 172.21.0.10 | 53 | 280 | 0 |
47 | 1531776752496387781 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 55882 | 172.21.0.10 | 53 | 202 | 0 |
48 | 1531776752498163740 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 60444 | 104.244.42.66 | 443 | 0 | 0 |
49 | 1531776752530256820 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54738 | 104.244.42.2 | 443 | 5587 | 1158 |
50 | 1531776752853960393 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54997 | 172.21.0.10 | 53 | 304 | 0 |
51 | 1531776752855235230 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 36155 | 172.21.0.10 | 53 | 288 | 0 |
52 | 1531776752856028382 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 53162 | 172.21.0.10 | 53 | 280 | 0 |
53 | 1531776752857064933 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 44589 | 172.21.0.10 | 53 | 202 | 0 |
54 | 1531776752858155729 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 36241 | 104.244.42.2 | 443 | 0 | 0 |
55 | 1531776752889173250 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 56920 | 104.244.42.194 | 443 | 5586 | 1159 |
56 | 1531776753189358740 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 43146 | 172.21.0.10 | 53 | 304 | 0 |
57 | 1531776753190221217 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51876 | 172.21.0.10 | 53 | 288 | 0 |
58 | 1531776753191461778 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 60402 | 172.21.0.10 | 53 | 280 | 0 |
59 | 1531776753192291270 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54403 | 172.21.0.10 | 53 | 202 | 0 |
60 | 1531776753193376837 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42152 | 104.244.42.66 | 443 | 0 | 0 |
61 | 1531776753232276038 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54748 | 104.244.42.2 | 443 | 5586 | 1158 |
62 | 1531776753538353129 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 38354 | 172.21.0.10 | 53 | 304 | 0 |
63 | 1531776753538997996 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49825 | 172.21.0.10 | 53 | 288 | 0 |
64 | 1531776753539775627 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 44171 | 172.21.0.10 | 53 | 280 | 0 |
65 | 1531776753540527122 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 53349 | 172.21.0.10 | 53 | 202 | 0 |
66 | 1531776753541516817 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 58601 | 104.244.42.130 | 443 | 0 | 0 |
67 | 1531776753574806114 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42282 | 104.244.42.66 | 443 | 5587 | 1160 |
68 | 1531776753887660322 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 39021 | 172.21.0.10 | 53 | 304 | 0 |
69 | 1531776753888954900 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 57057 | 172.21.0.10 | 53 | 288 | 0 |
70 | 1531776753890000663 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 48318 | 172.21.0.10 | 53 | 280 | 0 |
71 | 1531776753890896575 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 45423 | 172.21.0.10 | 53 | 190 | 0 |
72 | 1531776753891905682 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 38783 | 104.244.42.194 | 443 | 0 | 0 |
73 | 1531776753923040161 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51344 | 104.244.42.130 | 443 | 5586 | 1162 |
74 | 1531776754198288943 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42143 | 172.21.0.10 | 53 | 304 | 0 |
75 | 1531776754199320874 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 43728 | 172.21.0.10 | 53 | 288 | 0 |
76 | 1531776754200188850 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 41492 | 172.21.0.10 | 53 | 280 | 0 |
77 | 1531776754200964255 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 44015 | 172.21.0.10 | 53 | 190 | 0 |
78 | 1531776754202158114 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 33679 | 104.244.42.194 | 443 | 0 | 0 |
79 | 1531776754236516077 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42292 | 104.244.42.66 | 443 | 5585 | 1165 |
80 | 1531776754531142001 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46654 | 172.21.0.10 | 53 | 304 | 0 |
81 | 1531776754532560070 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46671 | 172.21.0.10 | 53 | 288 | 0 |
82 | 1531776754533445845 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 43183 | 172.21.0.10 | 53 | 280 | 0 |
83 | 1531776754534400962 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46252 | 172.21.0.10 | 53 | 202 | 0 |
84 | 1531776754535823091 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 37044 | 104.244.42.130 | 443 | 0 | 0 |
85 | 1531776754574958922 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 56952 | 104.244.42.194 | 443 | 5586 | 1166 |
86 | 1531776754908778661 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 57117 | 172.21.0.10 | 53 | 304 | 0 |
87 | 1531776754909950839 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 48120 | 172.21.0.10 | 53 | 288 | 0 |
88 | 1531776754911098233 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 45242 | 172.21.0.10 | 53 | 280 | 0 |
89 | 1531776754912027965 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54406 | 172.21.0.10 | 53 | 202 | 0 |
90 | 1531776754913393698 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 43396 | 104.244.42.2 | 443 | 0 | 0 |
91 | 1531776754947885545 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51362 | 104.244.42.130 | 443 | 5587 | 1158 |
92 | 1531776755242888219 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 38072 | 172.21.0.10 | 53 | 304 | 0 |
93 | 1531776755243667064 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 33572 | 172.21.0.10 | 53 | 288 | 0 |
94 | 1531776755244941589 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 34421 | 172.21.0.10 | 53 | 280 | 0 |
95 | 1531776755245443360 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54748 | 172.21.0.10 | 53 | 202 | 0 |
96 | 1531776755247021039 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 52649 | 104.244.42.66 | 443 | 0 | 0 |
97 | 1531776755285336085 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54782 | 104.244.42.2 | 443 | 5587 | 1165 |
98 | 1531776755568060838 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 48637 | 172.21.0.10 | 53 | 304 | 0 |
99 | 1531776755569414848 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 60541 | 172.21.0.10 | 53 | 288 | 0 |
100 | 1531776755570314747 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 47567 | 172.21.0.10 | 53 | 280 | 0 |
101 | 1531776755571117180 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 36532 | 172.21.0.10 | 53 | 202 | 0 |
102 | 1531776755572654438 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 50782 | 104.244.42.194 | 443 | 0 | 0 |
103 | 1531776755610656595 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42308 | 104.244.42.66 | 443 | 5588 | 1161 |
104 | 1531776755947087161 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 47763 | 172.21.0.10 | 53 | 304 | 0 |
105 | 1531776755947842721 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 55723 | 172.21.0.10 | 53 | 288 | 0 |
106 | 1531776755949031495 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49458 | 172.21.0.10 | 53 | 280 | 0 |
107 | 1531776755949967618 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51119 | 172.21.0.10 | 53 | 190 | 0 |
108 | 1531776755950950884 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 56719 | 104.244.42.2 | 443 | 0 | 0 |
109 | 1531776755982126903 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 56968 | 104.244.42.194 | 443 | 5587 | 1163 |
110 | 1531776756279270385 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 52362 | 172.21.0.10 | 53 | 304 | 0 |
111 | 1531776756280214168 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 53948 | 172.21.0.10 | 53 | 288 | 0 |
112 | 1531776756281427077 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46924 | 172.21.0.10 | 53 | 280 | 0 |
113 | 1531776756282529598 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 35073 | 172.21.0.10 | 53 | 202 | 0 |
114 | 1531776756283637105 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 57459 | 104.244.42.66 | 443 | 0 | 0 |
115 | 1531776756325677644 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54790 | 104.244.42.2 | 443 | 5587 | 1163 |
116 | 1531776756600922227 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51486 | 172.21.0.10 | 53 | 304 | 0 |
117 | 1531776756601752419 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40779 | 172.21.0.10 | 53 | 288 | 0 |
118 | 1531776756602523810 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40225 | 172.21.0.10 | 53 | 280 | 0 |
119 | 1531776756603955260 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42449 | 172.21.0.10 | 53 | 202 | 0 |
120 | 1531776756604999169 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40653 | 104.244.42.130 | 443 | 0 | 0 |
121 | 1531776756643960481 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42318 | 104.244.42.66 | 443 | 5587 | 1161 |
122 | 1531776756950265314 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51886 | 172.21.0.10 | 53 | 304 | 0 |
123 | 1531776756951043816 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 52174 | 172.21.0.10 | 53 | 288 | 0 |
124 | 1531776756951583276 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 57180 | 172.21.0.10 | 53 | 280 | 0 |
125 | 1531776756952069287 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 55887 | 172.21.0.10 | 53 | 190 | 0 |
126 | 1531776756953443903 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46151 | 104.244.42.130 | 443 | 0 | 0 |
127 | 1531776756986900960 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 56982 | 104.244.42.194 | 443 | 5586 | 1161 |
128 | 1531776757286358444 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 44479 | 172.21.0.10 | 53 | 304 | 0 |
129 | 1531776757287517489 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 48389 | 172.21.0.10 | 53 | 288 | 0 |
130 | 1531776757288566286 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46468 | 172.21.0.10 | 53 | 280 | 0 |
131 | 1531776757289244775 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42679 | 172.21.0.10 | 53 | 190 | 0 |
132 | 1531776757290249566 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 41746 | 104.244.42.194 | 443 | 0 | 0 |
133 | 1531776757326237157 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51388 | 104.244.42.130 | 443 | 5588 | 1161 |
134 | 1531776757699818868 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 38804 | 172.21.0.10 | 53 | 304 | 0 |
135 | 1531776757700878068 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46140 | 172.21.0.10 | 53 | 288 | 0 |
136 | 1531776757701797480 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 50019 | 172.21.0.10 | 53 | 280 | 0 |
137 | 1531776757702740928 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 34587 | 172.21.0.10 | 53 | 190 | 0 |
138 | 1531776757703634595 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40382 | 104.244.42.2 | 443 | 0 | 0 |
139 | 1531776757741350309 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 56992 | 104.244.42.194 | 443 | 5682 | 1268 |
140 | 1531776758033163276 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 37504 | 172.21.0.10 | 53 | 304 | 0 |
141 | 1531776758033934363 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49102 | 172.21.0.10 | 53 | 288 | 0 |
142 | 1531776758034485106 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 50479 | 172.21.0.10 | 53 | 280 | 0 |
143 | 1531776758035687200 | NF | C R C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 52327 | 172.21.0.10 | 53 | 190 | 0 |
144 | 1531776758037545505 | NF | C C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49561 | 104.244.42.2 | 443 | 0 | 0 |
145 | 1531776758068567589 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51402 | 104.244.42.130 | 443 | 5631 | 1211 |
146 | 1531776749530471060 | NF | CWR C | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40744 | 169.46.118.97 | 443 | 21147 | 31257 |
147 | 1531776750676547243 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 59076 | 104.244.42.2 | 443 | 0 | 0 |
148 | 1531776750676540993 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42902 | 104.244.42.66 | 443 | 0 | 0 |
149 | 1531776758037540031 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40721 | 104.244.42.66 | 443 | 0 | 0 |
150 | 1531776751625636212 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 55514 | 104.244.42.2 | 443 | 0 | 0 |
151 | 1531776751949118337 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 47171 | 104.244.42.66 | 443 | 0 | 0 |
152 | 1531776755950932396 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 35522 | 104.244.42.194 | 443 | 0 | 0 |
153 | 1531776750090876330 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 57342 | 104.244.42.130 | 443 | 0 | 0 |
154 | 1531776756283616071 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 34848 | 104.244.42.2 | 443 | 0 | 0 |
155 | 1531776755247015422 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 33661 | 104.244.42.194 | 443 | 0 | 0 |
156 | 1531776752498146380 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 59411 | 104.244.42.2 | 443 | 0 | 0 |
157 | 1531776753541499034 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 46305 | 104.244.42.66 | 443 | 0 | 0 |
158 | 1531776755572631589 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40695 | 104.244.42.66 | 443 | 0 | 0 |
159 | 1531776755572640206 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42507 | 104.244.42.2 | 443 | 0 | 0 |
160 | 1531776753891894901 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 44696 | 104.244.42.66 | 443 | 0 | 0 |
161 | 1531776754913382857 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 41023 | 104.244.42.194 | 443 | 0 | 0 |
162 | 1531776755247009773 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 48175 | 104.244.42.130 | 443 | 0 | 0 |
163 | 1531776754202140871 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 50267 | 104.244.42.66 | 443 | 0 | 0 |
164 | 1531776756953432438 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 45922 | 104.244.42.66 | 443 | 0 | 0 |
165 | 1531776757290231762 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 44474 | 104.244.42.130 | 443 | 0 | 0 |
166 | 1531776756953425800 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40756 | 104.244.42.194 | 443 | 0 | 0 |
167 | 1531776751053487060 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 36175 | 104.244.42.130 | 443 | 0 | 0 |
168 | 1531776756604988251 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 55084 | 104.244.42.2 | 443 | 0 | 0 |
169 | 1531776750090869924 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40970 | 104.244.42.194 | 443 | 0 | 0 |
170 | 1531776758037534599 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 36028 | 104.244.42.194 | 443 | 0 | 0 |
171 | 1531776754202152465 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 59208 | 104.244.42.130 | 443 | 0 | 0 |
172 | 1531776751625624407 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 41070 | 104.244.42.194 | 443 | 0 | 0 |
173 | 1531776751625630733 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 34768 | 104.244.42.66 | 443 | 0 | 0 |
174 | 1531776753193371184 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 33384 | 104.244.42.130 | 443 | 0 | 0 |
175 | 1531776753541511080 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40703 | 104.244.42.194 | 443 | 0 | 0 |
176 | 1531776755572647273 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 56731 | 104.244.42.130 | 443 | 0 | 0 |
177 | 1531776752498152568 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 60256 | 104.244.42.130 | 443 | 0 | 0 |
178 | 1531776751053481526 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40990 | 104.244.42.66 | 443 | 0 | 0 |
179 | 1531776753891900322 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49934 | 104.244.42.2 | 443 | 0 | 0 |
180 | 1531776758037528277 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 36463 | 104.244.42.130 | 443 | 0 | 0 |
181 | 1531776754202147133 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51654 | 104.244.42.2 | 443 | 0 | 0 |
182 | 1531776756604981817 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 57486 | 104.244.42.66 | 443 | 0 | 0 |
183 | 1531776750676553001 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49429 | 104.244.42.130 | 443 | 0 | 0 |
184 | 1531776753193359243 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54064 | 104.244.42.2 | 443 | 0 | 0 |
185 | 1531776752498158290 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 58286 | 104.244.42.194 | 443 | 0 | 0 |
186 | 1531776756604993756 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 57023 | 104.244.42.194 | 443 | 0 | 0 |
187 | 1531776751053475058 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51464 | 104.244.42.2 | 443 | 0 | 0 |
188 | 1531776754535805615 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 33778 | 104.244.42.194 | 443 | 0 | 0 |
189 | 1531776756283622736 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 35635 | 104.244.42.194 | 443 | 0 | 0 |
190 | 1531776754535817603 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 36201 | 104.244.42.2 | 443 | 0 | 0 |
191 | 1531776751949106739 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 45503 | 104.244.42.130 | 443 | 0 | 0 |
192 | 1531776750090882182 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 51781 | 104.244.42.2 | 443 | 0 | 0 |
193 | 1531776757703617406 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54238 | 104.244.42.194 | 443 | 0 | 0 |
194 | 1531776755950944989 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 58672 | 104.244.42.66 | 443 | 0 | 0 |
195 | 1531776756953438145 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 39941 | 104.244.42.2 | 443 | 0 | 0 |
196 | 1531776754913376685 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 35796 | 104.244.42.130 | 443 | 0 | 0 |
197 | 1531776756283630197 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 42242 | 104.244.42.130 | 443 | 0 | 0 |
198 | 1531776754913388300 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 47367 | 104.244.42.66 | 443 | 0 | 0 |
199 | 1531776752858144744 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 49058 | 104.244.42.130 | 443 | 0 | 0 |
200 | 1531776753541505402 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 36888 | 104.244.42.2 | 443 | 0 | 0 |
201 | 1531776750090873434 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 0.0.0.0 | 0 | 0.0.0.0 | 0 | 0 | 0 |
202 | 1531776755950939023 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 39517 | 104.244.42.130 | 443 | 0 | 0 |
203 | 1531776754535812097 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 34506 | 104.244.42.66 | 443 | 0 | 0 |
204 | 1531776753193365597 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54552 | 104.244.42.194 | 443 | 0 | 0 |
205 | 1531776755247003508 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 34780 | 104.244.42.2 | 443 | 0 | 0 |
206 | 1531776757703623524 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 52462 | 104.244.42.130 | 443 | 0 | 0 |
207 | 1531776752858150298 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 33691 | 104.244.42.66 | 443 | 0 | 0 |
208 | 1531776752858138432 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 48186 | 104.244.42.194 | 443 | 0 | 0 |
209 | 1531776753891888596 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 53175 | 104.244.42.130 | 443 | 0 | 0 |
210 | 1531776757703629078 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 40636 | 104.244.42.66 | 443 | 0 | 0 |
211 | 1531776751949112836 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 52650 | 104.244.42.194 | 443 | 0 | 0 |
212 | 1531776757290238036 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 54133 | 104.244.42.66 | 443 | 0 | 0 |
213 | 1531776757290243861 | NF | C T | 17754 | /bin/dash | /usr/bin/python2.7 | /tmp/exfil.py -a | 172.30.106.116 | 44005 | 104.244.42.2 | 443 | 0 | 0 |
# Finding all network flows related to suspicious script
flows = df[(df.type.isin(['FF','NF']))]
ax = flows[['ts_uts', 'flow.rbytes', 'flow.wbytes']].plot.bar(x='ts_uts', y=['flow.rbytes','flow.wbytes'], rot=45, figsize=(20,5))
ax.xaxis.set_major_locator(mdates.AutoDateLocator())
plt.gcf().autofmt_xdate()
plt.show()
# Summarizing sysflow types
reader = FlattenedSFReader(trace)
formatter = SFFormatter(reader)
df = formatter.toDataframe(fields=cols)
types = df.groupby(['type']).count()[['ts_uts']].rename(columns={"ts_uts": "count"})
types
count | |
---|---|
type | |
FE | 3 |
FF | 6002 |
NF | 86 |
PE | 234 |
# Rank ordering file operations
_df = df.replace('', np.nan).dropna(axis=0, how='any', subset=['file.path'])
paths = _df[cols].groupby(['file.path']).count()[['ts_uts']].rename(columns={"ts_uts": "count"})
paths.sort_values(by='count', ascending=False)
count | |
---|---|
file.path | |
/etc/ld.so.cache | 96 |
/lib/x86_64-linux-gnu/libc.so.6 | 48 |
/dev/null | 20 |
pipe:[66729332] | 18 |
/etc/hosts | 16 |
... | ... |
/var/lib/apt/lists/lock | 1 |
/etc/services | 1 |
/etc/apt/sources.list.d | 1 |
/var/lib/apt/lists/deb.debian.org_debian_dists_jessie-updates_InRelease | 1 |
/tmp/malware.log | 1 |
915 rows × 1 columns